Ransomware Gangs Exploit Critical SonicWall Firewall Vulnerability
Ransomware affiliates are now actively exploiting a critical vulnerability in SonicWall’s SonicOS firewall devices, gaining unauthorized access to victims’ networks.
Affected Devices
The security flaw, tracked as CVE-2024-40766, impacts Gen 5, Gen 6, and Gen 7 firewalls. SonicWall issued a patch on August 22 and initially reported that the vulnerability affected only the firewall’s management access interface. However, the company has now confirmed that the flaw also impacts the SSLVPN feature, which is being actively exploited by attackers.
Exploitation in the Wild
On Friday, SonicWall urged customers to apply the patch immediately, without providing specific details about the in-the-wild exploitation. Security researchers at Arctic Wolf linked the attacks to Akira ransomware affiliates, who used compromised SonicWall devices to breach networks.
Stefan Hostetler, Senior Threat Intelligence Researcher at Arctic Wolf, explained, “The compromised accounts were local to the devices themselves, rather than integrated with centralized authentication solutions like Microsoft Active Directory. Additionally, multi-factor authentication (MFA) was disabled for all compromised accounts.”
Rapid7 also detected ransomware groups targeting SonicWall SSLVPN accounts but noted that the connection to CVE-2024-40766 remains circumstantial.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
CISA Mandates Patch by September 30
In response to the ongoing exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog. Federal agencies have been ordered to patch the flaw by September 30, as required by Binding Operational Directive (BOD) 22-01.
Mitigation Recommendations
SonicWall has advised administrators to take the following actions:
- Restrict firewall management and SSLVPN access to trusted sources.
- Disable internet access to the management interface wherever possible.
- Enable multi-factor authentication (MFA) for all SSLVPN users, using time-based one-time passwords (TOTP) or email-based OTPs.
Trending: Recon Tool: FinalRecon
Previous SonicWall Exploits
SonicWall devices have been frequent targets for cyber espionage and ransomware attacks. Last year, suspected Chinese hackers (UNC4540) exploited unpatched SonicWall Secure Mobile Access (SMA) appliances, while ransomware gangs such as HelloKitty and FiveHands have used SonicWall vulnerabilities to breach corporate networks. The Akira ransomware group now joins the ranks of threat actors exploiting SonicWall bugs for network access.
SonicWall serves over 500,000 business customers in 215 countries, including government agencies and global enterprises.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
