SonicWall is investigating a series of cyberattacks in which Gen 7 firewalls with SSL VPN services enabled have been targeted by targeted ransomware campaigns. The devices run different firmware versions and, according to the company, were used as an access point for attackers.
Reports of suspicious activity that may indicate a new security vulnerability have been received both internally and from external parties such as Arctic Wolf, Google Mandiant, and Huntress.
Since the end of July, there has been a clear increase in so-called pre-ransomware intrusions via SonicWall SSL VPNs. In these attacks, attackers first gain access to the network without immediately deploying ransomware. In many cases, the devices were fully patched, and even resetting login credentials and using multi-factor authentication proved insufficient to prevent compromise. Researchers therefore suspect the existence of a zero-day vulnerability.
Huntress recently reported that its Security Operations Center investigated several incidents in which attackers gained access to domain controllers within hours of the initial intrusion via a vulnerable device. Among other things, accounts were compromised, security tools were disabled, and ransomware was installed. In several cases, it appears to involve Akira ransomware, a variant that has previously exploited vulnerabilities in SonicWall systems.
MFA does not provide sufficient protection
Arctic Wolf confirmed similar findings and warned that MFA alone does not provide sufficient protection. In most cases, the attack does not involve automated tools, but rather manual, hands-on keyboard attacks, in which attackers actively and purposefully take over systems. This increases the severity and complexity of the incidents.
The recent attacks bear a strong resemblance to previous campaigns that exploited the CVE-2024-40766 vulnerability. According to Arctic Wolf, attackers usually move quickly after gaining access, which makes detection and response difficult. Organizations of all sizes are at risk, as ransomware groups operate opportunistically.
Google reported that fully patched but end-of-life SonicWall devices have also been exploited to install a backdoor and rootkit, possibly with the aim of data theft and extortion. There is a real possibility that an unknown remote code execution vulnerability was used in this attack.
Patches available soon
SonicWall has not yet confirmed a new leak. However, the company has indicated that it will publish patches and recommendations as soon as possible once clarity has been established. In the meantime, the company advises disabling SSL VPN services where possible and restricting the network to trusted IP addresses. It also recommends deleting unused accounts and implementing a strict password and MFA policy.
This would be the second zero-day for SonicWall this year. This follows a critical vulnerability reported in January in the SMA 1000 product. It was likely exploited before a patch was available. A serious authentication bypass followed in February. It was quickly exploited after proof-of-concept code was shared.
According to Arctic Wolf, this confirms their earlier prediction that edge devices such as firewalls and VPN gateways are increasingly becoming the target of initial access in ransomware attacks. The current wave confirms that ransomware groups are exploiting vulnerabilities in access devices on a massive scale. These devices then serve as a springboard for broader attacks.