Skip to main content

SonicWall devices targeted with ransomware utilising stolen credentials

SonicWall devices are being targeted by a malicious cyber actor as targets for ransomware. The ACSC is aware of likely related activity targeting Australian organisations.

Alert status

Background /What has happened?

SonicWall, a network and cyber security appliance vendor, is reporting that ransomware activity is currently targeting their Secure Mobile Access (SMA) 100 series comprised of SMA 200, 210, 400, 410 physical appliances and the SMA 500v virtual appliance) and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware versions. This ransomware activity is reported by SonicWall as abusing stolen credentials.

The ACSC is aware of stolen credentials affecting Australian organisations that were likely the result of unpatched and end-of-life SonicWall devices running 8.x firmware being exploited.

The ACSC has previously issued an alert on a remote credential access vulnerability affecting SonicWall products.

Update 29 July 2021

This alert update clarifies that only end-of-life and selected unpatched devices are vulnerable to this activity.

Mitigation / How do I stay secure? 

Australian organisations should review their networks for the presence of affected SonicWall products which are outlined in the security notice from SonicWall. If vulnerable products are identified, Australian organisations should review and implement the recommended mitigations provided by SonicWall.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.


Was this information helpful?
Was this information helpful?

Thanks for your feedback!


Tell us why this information was helpful and we’ll work on making more pages like it