SonicWall pins firewall attack spree on year-old vulnerability
SonicWall insists a spree of ransomware attacks hitting its Gen 7 firewalls is not linked to a zero-day vulnerability, but rather a critical defect the company previously disclosed and patched last summer in its network security operating system.
The vendor disputed initial assessments from outside researchers suggesting the speed and scale of the attacks pointed to a potential zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector. “SonicWall has thoroughly investigated the matter, and based on current findings, we have high confidence that this activity is related to CVE-2024-40766,” SonicWall said in a statement, adding the defect is “not a new zero-day or unknown vulnerability.”
Conflicting theories and broad uncertainty surrounding the root cause of the latest series of attacks highlight the challenges security experts confront as they scramble to identify and remediate defects under attack in the wild. Arctic Wolf researchers previously noted the activity was similar to prior attacks involving CVE-2024-40766.
SonicWall said fewer than 40 organizations have been impacted by the attacks, which started in mid-July and increased in pace over the next couple weeks. Two other cybersecurity companies, Huntress and GuidePoint Research, also capped their estimated victim count at under 40.
Many of the attacks involve customers that recently migrated from Gen 6 to Gen 7 firewalls without resetting passwords, SonicWall said in its updated blog post. The company did not say how many impacted customers were running firewalls without the previously issued patch for CVE-2024-40766.
SonicWall disclosed the improper access control vulnerability in SonicOS, which has a CVSS score of 9.8, Aug. 22, 2024. The defect was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog Sept. 9, 2024, and the agency confirmed it has been used in ransomware campaigns.
SonicWall did not respond to a request for comment.
“It’s unclear if this CVE is the actual underlying issue in all of the cases we’ve seen,” Jamie Levy, director of adversary tactics at Huntress, said in an email. “We continue to see some exploitation of SonicWall devices on our end, but it’s unclear if they are patched or have outdated configurations.”
Huntress confirmed some impacted customers migrated to Gen 7 with older configurations, but one impacted organization told Huntress their SonicWall devices — which were new Gen 7 installs, not migrations from the previous generation — were compromised. “It’s possible that there are other vulnerabilities or misconfigurations at play,” Levy said.
Most of the customers impacted by this series of attacks had already applied the patch for CVE-2024-40766, she added. “The vast majority of these attacks have tried to detonate ransomware, mostly Akira.”
Researchers at GuidePoint Security and Arctic Wolf also attributed the recent attacks to Akira ransomware affiliates. “We are not aware of any other groups involved in this campaign, but cannot altogether rule it out,” Jason Baker, managing security consultant on GuidePoint’s research and intelligence team, said in an email.
GuidePoint hasn’t analyzed the technical root cause of the attacks, but has “no reason to believe that SonicWall’s response is disingenuous or incomplete at this time,” Baker said.
Akira affiliates typically steal data and encrypt systems before they attempt to extort victims for a decryptor and to prevent the release of stolen data. Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year.
SonicWall’s updated guidance advises customers to change credentials and upgrade to SonicOS 7.3.0, which includes additional multifactor authentication controls. The company pulled previous guidance encouraging customers to disable SSLVPN on Gen 7 firewalls.
“If any local administrator accounts have been compromised through CVE-2024-40766, attackers may exploit administrative features such as packet capture, debugging, logging, configuration backup, or MFA control to obtain additional credentials, monitor traffic or weaken the overall security posture,” SonicWall said.
SonicWall customers have been hit by persistent attacks involving defects in the company’s firewalls and software. The vendor has appeared 14 times on CISA’s known exploited vulnerabilities catalog since late 2021.
