SonicWall VPNs targeted by ransomware hitting corporate networks
Researchers have been warning about this flaw for some time
Cybercriminals have successfully breached at least 30 organizations using a vulnerability in SonicWall VPNs, security experts have warned.
Earlier in 2024, SonicWall reported discovering, and patching, a critical vulnerability in the SonicWall SonicOS. This bug, which is tracked as CVE-2024-40766, has a severity score of 9.3 (critical), and can result in unauthorized resource access, and even crashes of the VPN.
At the time, the company did not have any evidence of in-the-wild abuse, however just a few weeks later, both new reports from Arctic Wolf and Rapid7 have now warned users to patch immediately after hackers started exploiting the flaw.
Akira dominating
The improper access control vulnerability is affecting Gen 5, Gen 6, and Gen 7 firewalls, as well as the firewalls’ SSLVPN feature. The researchers warned that the crooks were abusing them to deploy Akira and Fog ransomware variants. Akira, which seems to be the more active of the two, usually targets firms in education, finance, real estate, manufacturing, and consulting industries.
Of the 30 recorded victims, 75% were infected with Akira, and the rest with Fog. However, it seems that the two threat actors are deeply connected, sharing the same infrastructure, and are not competing for the same attack surface.
Besides abusing the SonicWall vulnerability, the researchers also said that the victims most likely did not have multi-factor authentication (MFA) enabled on the compromised SSL VPN accounts, which would make things a lot more difficult for the attackers. Furthermore, they were running the services on the default port 4433, which also played to the attackers’ strengths.
"In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed," Arctic Wolf said. "Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
CVE-2024-40766 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal firms a deadline to patch up.
Via BleepingComputer
More from TechRadar Pro
- SonicWall patches critical firewall security flaw
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.