A targeted ransomware campaign by an unknown actor is exploiting a known vulnerability in some older SonicWall security appliances and the company is warning customers still running those products that there are no real mitigations available right now.
SonicWall said the campaign is targeting several end-of-life appliances that are no longer supported or receiving firmware updates, including the Secure Mobile Access (SMA) 100 and the older Secure Remote Access line. The actors are exploiting a vulnerability in the 8.x firmware line.
“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware,” the company said in an advisory Wednesday,
“If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation. The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk.”
SonicWall also warned customers running other older appliances that are not under active attack that they should disconnect them immediately and reset the credentials. Those products include the SRA 4600/1600 line, the SRA 4200/1200 line, and the SSL-VPN 200/2000/400 line. The SMA 400/200 line is still supported in a limited retirement mode and customers using those should upgrade the firmware immediately, enable MFA and reset the passwords.
The company did not specify which vulnerability the ransomware campaign is targeting or which actor is conducting the attacks.