Ransomware associates exploit a important safety vulnerability in SonicWall SonicOS firewall units to breach victims’ networks.
Tracked as CVE-2024-40766, this improper entry management flaw impacts Gen 5, Gen 6, and Gen 7 firewalls. SonicWall patched it on August 22 and warned that it solely impacted the firewalls’ administration entry interface.
Nevertheless, on Friday, SonicWall revealed that the safety vulnerability additionally impacted the firewall’s SSLVPN characteristic and was now being exploited in assaults. The corporate warned clients to “apply the patch as soon as possible for affected products” with out sharing particulars relating to in-the-wild exploitation.
The identical day, Arctic Wolf safety researchers linked the assaults with Akira ransomware associates, who focused SonicWall units to achieve preliminary entry to their targets’ networks.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” mentioned Stefan Hostetler, a Senior Risk Intelligence Researcher at Arctic Wolf.
“Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”
Cybersecurity outfit Rapid7 additionally noticed ransomware teams concentrating on SonicWall SSLVPN accounts in current incidents however mentioned that “evidence linking CVE-2024-40766 to these incidents is still circumstantial.”
Arctic Wolf and Rapid7 mirrored SonicWall’s warning and urged admins to improve to the newest SonicOS firmware model as quickly as attainable.
Federal companies ordered to patch by September 30
CISA adopted go well with on Monday, including the important entry management flaw to its Identified Exploited Vulnerabilities catalog, ordering federal companies to safe weak SonicWall firewalls on their networks inside three weeks by September 30, as mandated by Binding Operational Directive (BOD) 22-01.
SonicWall mitigation suggestions embrace limiting firewall administration and SSLVPN entry to trusted sources and disabling web entry every time attainable. Admins also needs to allow multi-factor authentication (MFA) for all SSLVPN customers utilizing TOTP or email-based one-time passwords (OTPs).
Attackers typically goal SonicWall units and home equipment in cyber espionage and ransomware assaults. For example, SonicWall PSIRT and Mandiant revealed final yr that suspected Chinese language hackers (UNC4540) put in malware that survived firmware upgrades on unpatched SonicWall Safe Cell Entry (SMA) home equipment.
A number of ransomware gangs, together with HelloKitty and FiveHands, now joined by Akira, have additionally exploited SonicWall safety bugs to achieve preliminary entry to their victims’ company networks.
SonicWall serves over 500,000 enterprise clients throughout 215 nations and territories, together with authorities companies and among the world’s largest firms.
