Threat Update
A ransomware campaign using stolen credentials is actively targeting networking device maker SonicWall’s Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. The exploitation targets a known vulnerability that has been patched in newer versions of the firmware. Depending on the product, readers can remediate by applying updates, changing passwords, or disconnecting devices.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A ransomware group, UNC2447, is exploiting at least three known vulnerabilities in SonicWall SRA 4600 and SMA 100 devices: CVE-2019-7481, CVE-2019-7482, and CVE-2021-20016. By gaining access to a target system using stolen credentials, the threat actor deploys their ransomware of choice, encrypts the compromised system, and demands a ransom. UNC2447 has successfully used this approach against several organizations across Europe and North America, deploying the “FiveHands” ransomware and pressuring target organizations to pay the ransom by threatening to expose data to the media and sell it in hacker forums.
WHY IS IT NOTEWORTHY?
More than 100 organizations have been targeted by FiveHands ransomware via SonicWall vulnerabilities. Although patches have been available for the SMA 100 series remote access vulnerability since February 2021, some organizations continue to use unpatched and end-of-life (EOL) products. This is a prime example of the urgency of keeping all products and services, particularly those with security applications, patched and updated. Using EOL products and services presents a persistent security risk to your organization.
WHAT IS THE EXPOSURE OR RISK?
Unpatched SMA 100 and older SRA series running unpatched and end-of-life (EOL) 8.x firmware are at risk of exploitation. See the following lists of current SMA products and EOL products to see whether your products may be affected. SMA 1000 series products are not affected.
WHAT ARE THE RECOMMENDATIONS?
It is critical to note that if your organization is using a legacy SRA appliance that is past EOL status and cannot update to 9.x firmware, continued use may result in ransomware exploitation. Please update to the latest available SRA and SMA firmware immediately. Specific recommendations for various releases are as follows:
- SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016) or SSL-VPN 200/2000/400 (EOL 2013/2014) should be disconnected, with all associated passwords changed immediately.
- SMA 400/200 (Still Supported, in Limited Retirement Mode) should be updated to 10.2.0.7-34 or 9.0.0.10, passwords reset, and MFA enabled immediately.
- To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, SonicWall is providing a complimentary virtual SMA 500v until October 31, 2021. Guides for Hyper-V and ESXi are available along with a configuration migration tool.
While not part of the campaign targeting SRA/SMA firmware 8.x, customers with SMA 210/410/500v (Actively Supported) should also ensure that they have the latest version of firmware to mitigate vulnerabilities discovered in early 2021:
- Firmware 9.x should be updated to 9.0.0.10-28sv or later.
- Firmware 10.x should be updated to 10.2.0.7-34sv or later.
All users are recommended to:
- Enable MFA.
- Reset all credentials associated with SMA and SRA devices along with any systems sharing the same credentials.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/article/sonicwall-releases-urgent-notice-about-imminent-ransomware-targeting-firmware/
- https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/
- https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-sonicwall-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2019-7481
- https://nvd.nist.gov/vuln/detail/CVE-2019-7482
- https://nvd.nist.gov/vuln/detail/CVE-2021-20016
- fireye.com/link
If you have any questions, please contact our Security Operations Center.