Technology

SonicWall VPNs targeted by ransomware hitting corporate networks

October 28, 2024

Cybercriminals have successfully breached at least 30 organizations using a vulnerability in SonicWall VPNs, security experts have warned.

Earlier in 2024, SonicWall reported discovering, and patching, a critical vulnerability in the SonicWall SonicOS. This bug, which is tracked as CVE-2024-40766, has a severity score of 9.3 (critical), and can result in unauthorized resource access, and even crashes of the VPN.

At the time, the company did not have any evidence of in-the-wild abuse, however just a few weeks later, both new reports from Arctic Wolf and Rapid7 have now warned users to patch immediately after hackers started exploiting the flaw.

Akira dominating

The improper access control vulnerability is affecting Gen 5, Gen 6, and Gen 7 firewalls, as well as the firewalls’ SSLVPN feature. The researchers warned that the crooks were abusing them to deploy Akira and Fog ransomware variants. Akira, which seems to be the more active of the two, usually targets firms in education, finance, real estate, manufacturing, and consulting industries.

Of the 30 recorded victims, 75% were infected with Akira, and the rest with Fog. However, it seems that the two threat actors are deeply connected, sharing the same infrastructure, and are not competing for the same attack surface.

Besides abusing the SonicWall vulnerability, the researchers also said that the victims most likely did not have multi-factor authentication (MFA) enabled on the compromised SSL VPN accounts, which would make things a lot more difficult for the attackers. Furthermore, they were running the services on the default port 4433, which also played to the attackers’ strengths.

“In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed,” Arctic Wolf said. “Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully.”

CVE-2024-40766 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal firms a deadline to patch up.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar