A recently discovered vulnerability in SonicWall’s SonicOS firmware has been exploited by ransomware operators to gain unauthorized access to targeted networks, compromising the security of affected organizations.
Tracked as CVE-2024-40766, a vulnerability in improper entry management affects all Gen 5, Gen 6, and Gen 7 firewalls. On August 22, SonicWall disclosed a vulnerability, specifying that its sole impact was on the firewalls’ administration entry interface.
Notwithstanding this, on Friday, SonicWall revealed that a previously identified safety vulnerability had also compromised the company’s SSLVPN function, which is currently being exploited in attacks. The company cautioned customers to “install the security update at the earliest opportunity for impacted products” without disclosing details regarding in-the-wild exploitation.
On the same day, researchers at Arctic Wolf uncovered attacks by Akira ransomware affiliates, who targeted SonicWall devices to gain initial access to their victims’ networks.
According to Stefan Hostetler, a Senior Risk Intelligence Researcher at Arctic Wolf, all instances of compromised accounts had their roots within the affected units themselves, rather than being integrated with a centralized authentication system like Microsoft Active Directory.
Notably, as a preventative measure, MFA was immediately disabled for all compromised accounts, while the SonicOS firmware on affected units, previously known to be vulnerable to CVE-2024-40766, remained unchanged.
Rapid7 has identified ransomware operators targeting SonicWall SSLVPN accounts, but emphasizes that the link between this activity and the CVE-2024-40766 vulnerability remains circumstantial.
Arctic Wolf and Rapid7 swiftly followed SonicWall’s guidance, advising administrators to promptly update their systems to the latest SonicOS firmware version to ensure optimal security posture.
Federal agencies directed to expedite security patches by September 30th.
The Cybersecurity and Infrastructure Security Agency (CISA) promptly updated its catalog of Identified Exploited Vulnerabilities on Monday, directing federal agencies to remediate a critical flaw affecting SonicWall firewalls on their networks within three weeks, with the deadline set for September 30, in accordance with Binding Operational Directive (BOD) 22-01.
To mitigate SonicWall vulnerabilities, it is recommended to restrict access to trusted sources only and periodically disable web-based management for added security. Administrators are required to monitor and update, as necessary, all SSL VPN customers employing Time-Based One-Time Passwords (TOTP) or email-based one-time password authentication.
Cybercriminals frequently target SonicWall devices and home networks as part of their cyber espionage and ransomware attack strategies.
Last year, SonicWall’s Product Security Incident Response Team (PSIRT) and Mandiant jointly disclosed that suspected Chinese hackers (UNC4540) had exploited unpatched SonicWall Secure Mobile Access (SMA) devices by surviving firmware upgrades.
Ransomware gangs, including several notorious groups that have recently been joined by Akira, have leveraged previously undisclosed SonicWall vulnerabilities to gain initial access to their targets’ corporate networks.
SonicWall provides security solutions to more than 500,000 enterprise customers across 215 countries, territories, and government agencies, including some of the world’s largest corporations.
