Ransomware associates exploit a essential safety vulnerability in SonicWall SonicOS firewall gadgets to breach victims’ networks.
Tracked as CVE-2024-40766, this improper entry management flaw impacts Gen 5, Gen 6, and Gen 7 firewalls. SonicWall patched it on August 22 and warned that it solely impacted the firewalls’ administration entry interface.
Nevertheless, on Friday, SonicWall revealed that the safety vulnerability additionally impacted the firewall’s SSLVPN function and was now being exploited in assaults. The corporate warned prospects to “apply the patch as quickly as doable for affected merchandise” with out sharing particulars concerning in-the-wild exploitation.
The identical day, Arctic Wolf safety researchers linked the assaults with Akira ransomware associates, who focused SonicWall gadgets to realize preliminary entry to their targets’ networks.
“In every occasion, the compromised accounts had been native to the gadgets themselves somewhat than being built-in with a centralized authentication answer similar to Microsoft Energetic Listing,” stated Stefan Hostetler, a Senior Risk Intelligence Researcher at Arctic Wolf.
“Moreover, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected gadgets had been throughout the variations recognized to be weak to CVE-2024-40766.”
Cybersecurity outfit Rapid7 additionally noticed ransomware teams concentrating on SonicWall SSLVPN accounts in current incidents however stated that “proof linking CVE-2024-40766 to those incidents remains to be circumstantial.”
Arctic Wolf and Rapid7 mirrored SonicWall’s warning and urged admins to improve to the newest SonicOS firmware model as quickly as doable.
Federal businesses ordered to patch by September 30
CISA adopted go well with on Monday, including the essential entry management flaw to its Recognized Exploited Vulnerabilities catalog, ordering federal businesses to safe weak SonicWall firewalls on their networks inside three weeks by September 30, as mandated by Binding Operational Directive (BOD) 22-01.
SonicWall mitigation suggestions embrace proscribing firewall administration and SSLVPN entry to trusted sources and disabling web entry each time doable. Admins also needs to allow multi-factor authentication (MFA) for all SSLVPN customers utilizing TOTP or email-based one-time passwords (OTPs).
Attackers typically goal SonicWall gadgets and home equipment in cyber espionage and ransomware assaults. As an illustration, SonicWall PSIRT and Mandiant revealed final yr that suspected Chinese language hackers (UNC4540) put in malware that survived firmware upgrades on unpatched SonicWall Safe Cellular Entry (SMA) home equipment.
A number of ransomware gangs, together with HelloKitty and FiveHands, now joined by Akira, have additionally exploited SonicWall safety bugs to realize preliminary entry to their victims’ company networks.
SonicWall serves over 500,000 enterprise prospects throughout 215 international locations and territories, together with authorities businesses and a number of the world’s largest corporations.