Ransomware affiliates exploit a critical security vulnerability in SonicWall SonicOS firewall devices to breach victims’ networks.
Tracked as CVE-2024-40766, this improper access control flaw affects Gen 5, Gen 6, and Gen 7 firewalls. SonicWall patched it on August 22 and warned that it only impacted the firewalls’ management access interface.
However, on Friday, SonicWall revealed that the security vulnerability also impacted the firewall’s SSLVPN feature and was now being exploited in attacks. The company warned customers to “apply the patch as soon as possible for affected products” without sharing details regarding in-the-wild exploitation.
The same day, Arctic Wolf security researchers linked the attacks with Akira ransomware affiliates, who targeted SonicWall devices to gain initial access to their targets’ networks.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” said Stefan Hostetler, a Senior Threat Intelligence Researcher at Arctic Wolf.
“Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”
Cybersecurity outfit Rapid7 also spotted ransomware groups targeting SonicWall SSLVPN accounts in recent incidents but said that “evidence linking CVE-2024-40766 to these incidents is still circumstantial.”
Arctic Wolf and Rapid7 mirrored SonicWall’s warning and urged admins to upgrade to the latest SonicOS firmware version as soon as possible.
Federal agencies ordered to patch by September 30
CISA followed suit on Monday, adding the critical access control flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure vulnerable SonicWall firewalls on their networks within three weeks by September 30, as mandated by Binding Operational Directive (BOD) 22-01.
SonicWall mitigation recommendations include restricting firewall management and SSLVPN access to trusted sources and disabling internet access whenever possible. Admins should also enable multi-factor authentication (MFA) for all SSLVPN users using TOTP or email-based one-time passwords (OTPs).
Attackers often target SonicWall devices and appliances in cyber espionage and ransomware attacks. For instance, SonicWall PSIRT and Mandiant revealed last year that suspected Chinese hackers (UNC4540) installed malware that survived firmware upgrades on unpatched SonicWall Secure Mobile Access (SMA) appliances.
Multiple ransomware gangs, including HelloKitty and FiveHands, now joined by Akira, have also exploited SonicWall security bugs to gain initial access to their victims’ corporate networks.
SonicWall serves over 500,000 business customers across 215 countries and territories, including government agencies and some of the world’s largest companies.