SonicWall has publicly acknowledged a recent wave of attacks on its Gen 7 and newer firewalls with SSL VPN enabled. These attacks were made possible by a vulnerability that has since been patched, as well as by issues related to password reuse. The company is currently still investigating less than 40 incidents related to this potential activity. This recent turn of events has many users of its firewall products up in arms.
CVE-2024-40766– SonicWall disclosed this vulnerability in August 2024. This vulnerability has a critical CVSS score of 9.3. SonicWall specifically cautioned that lack of proper access control can allow unauthorized users to gain access to devices. This defect can lead to resource access violations. Between August and early October 2024, threat actors associated with Akira and Fog were publicly using this vulnerability on a break-and-attack basis. They hit unpatched SonicWall SSL VPNs in the process.
Investigation Findings
As SonicWall’s investigation found, this was a big deal. A good number of these incidences were due to users moving from Gen 6 to Gen 7 firewalls without performing a local user password reset. However, due to these vulnerabilities, the company advises prioritizing password management and security measures in order to protect yourself against such threats.
“We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” said a representative from SonicWall. This affirmation acknowledges that we can mitigate existing dangers by making the right retrofits and the right security measures. It further highlights that these threats are not only associated with recently identified CVEs.
To combat these problems, SonicWall has offered detailed step-by-step instructions exclusively for customers using its firewall products. The company recommends updating firmware to SonicOS version 7.3.0 and resetting all local user account passwords, especially those migrated from Gen 6 to Gen 7.
Security Recommendations
Beyond password resets, SonicWall highly recommends users to enable Botnet Protection. Organizations should always turn on Geo-IP Filtering as a means to further bolster these devices’ security. They call for requiring multi-factor authentication (MFA) and establish strict password policies to increase security across the board.
Additional recommendations SonicWall recommended that organizations delete all inactive or unused user accounts to eliminate possible attack vectors. SonicWall remains committed to ensuring the security and integrity of its firewall products. These measures are a welcome response to the escalating menace of cyber attacks.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash,” – SonicWall
Ongoing Threat Landscape
As other security vendors have documented, there has been a significant uptick in attacks using SonicWall SSL VPN appliances for Akira ransomware attacks. SonicWall customers need to act fast to defend their institutions against these flaws. That broader trend makes the case of that need even more urgent.
As attackers continue to exploit known weaknesses, it is crucial for organizations to remain vigilant and proactive in their cybersecurity strategies. Today’s continuously evolving threat landscape only amplifies the importance of frequent and immediate updates, strong password policies, and overall improved security.