Critical Ransomware Risk to Unpatched SonicWall SRA & SMA 8.X

July 18, 2021

SonicWall has released an URGENT security notice considering a risk to unpatched end-of-life SRA & SMA remote access devices.

A HelloKitty Ransomware campaign targets SRA and SMA devices running 8.x firmware.

Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.

SonicWall SMA and SRA are solutions which provide organizations with a clientless method of access to applications and network resources specifically for remote and mobile employees.

Vulnerability Targeted by HelloKitty Campaign

Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerability impacted SMA100 version and earlier. – exploited by HelloKitty Campaign.

Mitigation (Temporary)

CYREBRO recommends reviewing the official security notice by SonicWall which contains detailed mitigation solutions and procedures.

Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below.

  • SRA 4600/1600 (EOL 2019)
    • Disconnect immediately
    • Reset passwords
  • SRA 4200/1200 (EOL 2016)
    • Disconnect immediately
    • Reset passwords
  • SSL-VPN 200/2000/400 (EOL 2013/2014)
    • Disconnect immediately
    • Reset passwords
  • SMA 400/200 (Still Supported, in Limited Retirement Mode)
    • Update to or immediately
    • Reset passwords
    • Enable MFA

While not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.

  • SMA 210/410/500v (Actively Supported)
    • Firmware 9.x should immediately update to 0.0.10-28sv or later
    • Firmware 10.x should immediately update to 2.0.7-34sv or later

The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk.

References: SonicWall Security Notice

Sign Up for Updates