SonicWall VPNs targeted by ransomware hitting corporate networks

Image credit: Pixabay (Image credit: Future)

Cybercriminals have successfully breached at least 30 organizations using a vulnerability in SonicWall VPNs, security experts have warned.

Earlier in 2024, SonicWall reported discovering, and patching, a critical vulnerability in the SonicWall SonicOS. This bug, which is tracked as CVE-2024-40766, has a severity score of 9.3 (critical), and can result in unauthorized resource access, and even crashes of the VPN.

At the time, the company did not have any evidence of in-the-wild abuse, however just a few weeks later, both new reports from Arctic Wolf and Rapid7 have now warned users to patch immediately after hackers started exploiting the flaw.

Akira dominating

The improper access control vulnerability is affecting Gen 5, Gen 6, and Gen 7 firewalls, as well as the firewalls’ SSLVPN feature. The researchers warned that the crooks were abusing them to deploy Akira and Fog ransomware variants. Akira, which seems to be the more active of the two, usually targets firms in education, finance, real estate, manufacturing, and consulting industries.

Of the 30 recorded victims, 75% were infected with Akira, and the rest with Fog. However, it seems that the two threat actors are deeply connected, sharing the same infrastructure, and are not competing for the same attack surface.

Besides abusing the SonicWall vulnerability, the researchers also said that the victims most likely did not have multi-factor authentication (MFA) enabled on the compromised SSL VPN accounts, which would make things a lot more difficult for the attackers. Furthermore, they were running the services on the default port 4433, which also played to the attackers’ strengths.

"In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed," Arctic Wolf said. "Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully."

CVE-2024-40766 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal firms a deadline to patch up.

Via BleepingComputer

More from TechRadar Pro

SonicWall patches critical firewall security flaw
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.