SonicWall has recently clarified that the surge in attacks targeting its Gen 7 and newer firewalls with SSL VPN enabled is associated with an older, now-patched vulnerability, rather than a new zero-day exploit. The company stated, We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766.
Understanding CVE-2024-40766
CVE-2024-40766, assigned a CVSS score of 9.3, was first disclosed by SonicWall in August 2024. This vulnerability was identified as an improper access control issue within the SonicOS management access, potentially allowing unauthorized resource access and, under specific conditions, causing the firewall to crash. SonicWall’s advisory at the time highlighted the critical nature of this flaw and urged users to apply the necessary patches promptly.
Recent Exploitation and Investigation
In recent months, multiple security vendors have reported a surge in attacks exploiting SonicWall SSL VPN appliances, particularly in relation to Akira ransomware campaigns. SonicWall has been investigating fewer than 40 incidents related to this activity. Notably, many of these incidents are linked to migrations from Gen 6 to Gen 7 firewalls where local user passwords were not reset—a crucial step recommended as part of the mitigation for CVE-2024-40766.
Recommended Mitigation Steps
To bolster security and prevent unauthorized access, SonicWall has provided updated guidance for users:
– Firmware Update: Upgrade to SonicOS version 7.3.0, which includes additional protections against brute-force password and multi-factor authentication (MFA) attacks.
– Password Management: Reset all local user account passwords for accounts with SSLVPN access, especially those carried over during migration from Gen 6 to Gen 7.
– Security Features: Enable Botnet Protection and Geo-IP Filtering to enhance defense mechanisms.
– Authentication Policies: Enforce MFA and implement strong password policies to add layers of security.
– Account Maintenance: Remove unused or inactive user accounts to minimize potential entry points for attackers.
Contextualizing the Threat Landscape
The Akira ransomware group, active since March 2023, has been known to exploit vulnerabilities in VPN devices to gain initial access to target networks. Their modus operandi often involves disabling backups to prevent recovery and deploying ransomware swiftly after gaining access. The group’s victims span various sectors globally, including notable organizations like Stanford University and Nissan Australia.
The recent attacks underscore the importance of adhering to security best practices, especially during system migrations. Ensuring that all recommended steps, such as password resets and firmware updates, are diligently followed can significantly reduce the risk of exploitation.
Conclusion
SonicWall’s confirmation that the recent VPN attacks are linked to a previously patched vulnerability highlights the critical need for organizations to stay vigilant. Regularly updating systems, resetting passwords during migrations, and implementing robust security measures are essential steps in safeguarding against potential threats.
