Recent assault wave utilized a previously recognized vulnerability rather than a zero-day exploit, according to SonicWall.
Breaking News: SonicWall Gen 7 Firewall Attacks Linked to CVE-2024-40766 Vulnerability
A series of cyber attacks targeting SonicWall Gen 7 firewall users since July has been linked to the improper access control vulnerability, CVE-2024-40766. Contrary to initial suspicions, there is no evidence of a zero-day vulnerability being involved in these attacks.
The exploitation of this vulnerability, disclosed in August 2024, has been largely facilitated by the use of legacy credentials, particularly in environments where customers migrated from Gen 6 to Gen 7 firewalls and failed to change those credentials as recommended.
According to Huntress's latest report, as of Wednesday, 28 of its customers had been compromised. However, other security firms suggest that the number of compromised customers may soon exceed SonicWall's current tally of 40.
The Akira ransomware group is primarily associated with these attacks. Attackers typically gain administrative access via SSL VPNs by exploiting CVE-2024-40766 and leveraging credential reuse. Once inside, they can enable malicious activities such as packet capturing, configuration manipulation, and MFA bypass attempts.
To mitigate the risk from CVE-2024-40766 exploitation and associated credential abuse during migrations, SonicWall and security researchers strongly advise customers to:
- Immediately reset and rotate all local administrator account passwords that may have been imported or reused in migrations.
- Rotate LDAP account credentials used for Active Directory integration, as LDAP accounts can likewise be compromised.
- Review firewall logs, packet captures, MFA settings, and configuration changes for unusual activity to detect possible breaches.
- Apply the latest SonicOS updates (7.3 and newer) which include enhanced protections against brute force and MFA attacks.
Michael Tigges, senior hunt response analyst at Huntress, stated that the exploitation or access to these appliances was across a couple of different firmware versions and a wide variety of Gen 7 firewall appliances. He added that when adversaries update this type of behavior, they've found something.
In summary, SonicWall users using Gen 7 firewalls should focus on immediate credential rotation (local and LDAP accounts), applying all security patches, and monitoring system logs closely to protect against these attacks.
- The attacks on SonicWall Gen 7 firewall users, linked to the CVE-2024-40766 vulnerability, have been facilitated by the use of legacy credentials, particularly in environments where customers reused credentials during migrations.
- The Akira ransomware group, associated with these attacks, typically gains administrative access via SSL VPNs by exploiting the CVE-2024-40766 vulnerability and leveraging credential reuse.
- To protect against exploitation of CVE-2024-40766 and associated credential abuse, SonicWall advises customers to immediately reset and rotate all local administrator account passwords, rotate LDAP account credentials, review firewall logs, apply the latest SonicOS updates, and closely monitor system logs.
