In the latest ransomware attack, operators have started using a critical bug in SonicWall SonicOS firewall devices as an entry point for compromising business networks. The vulnerability, identified as CVE-2024-40766, is from the management access interface of the firewall and thus impacts all current devices spanning across Generation 5, Generation 6, and Generation 7. A patch was issued by SonicWall on August 22 to address the issue and asked its users to update their appliances. It later turned out that the same weakness also affects the SSLVPN feature of the devices, which has recently been exploited in the wild.
Arctic Wolf security researchers reported that operators of the Akira ransomware strain have been leveraging the bug for initial access to business networks. These appeared to be the types of attacks that involved compromised accounts, local to the affected devices and independent of centralised authentication systems such as Microsoft Active Directory. What's more, the affected accounts were noted to have MFA disabled, further compromising them. The affected breached devices were running firmware versions in the range vulnerable to CVE-2024-40766.
Apart from Arctic Wolf's discovery, the incidents of ransomware groups making their ways into SonicWall SSLVPN accounts were also reported by the security firm Rapid7. While the incidents being connected to the vulnerability CVE-2024-40766 are purely speculative, the company has underlined the need to take precautions.
Immediate Security Recommendations
The cybersecurity researchers at SonicWall, Arctic Wolf, and Rapid7 have strongly recommended that the administrators take to the immediate implementation of the latest SonicOS firmware updates. Specifically, SonicWall has advised customers to allow access to the Firewall management and SSLVPN features only from trusted sources and block it from the internet, if possible. It has also underlined the implementation of MFA for all SSLVPN users by leveraging the use of TOTP or email-based authentication.
Given the threat, this vulnerability has been added to the Known Exploited Vulnerabilities catalogue by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA. Federal agencies were directed to patch their vulnerable SonicWall devices before September 30, according to Binding Operational Directive, or BOD 22-01. That is the gravity of this vulnerability and how urgently the organisations need to act.
SonicWall Devices Targeted in Previous Attacks
SonicWall devices have been routine targets in the past, due to which the hackers exploit security flaws and gain entry to the corporate networks. For instance, suspected Chinese hackers installed malware on SonicWall Secure Mobile Access (SMA) devices, which persists on firmware upgrades. The Ransomware groups-HelloKitty, FiveHands, and now Akira-keeps exploiting similar vulnerabilities in the SonicWall systems for attacks.
Given that SonicWall serves over 500,000 customers, including government agencies and major corporations worldwide, the pervasive nature of these vulnerabilities calls for timely patching and stout security practices. "The company has urged that all users of the affected products must apply the latest updates in order to protect their systems against future attacks.