SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
“A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.
Researchers from multiple security companies confirmed attackers have intruded and compromised customer networks, even in environments with multi-factor authentication enabled.
Attackers are moving swiftly, pivoting directly to domain controllers within hours and deploying ransomware after short dwell times, Huntress said in a threat advisory Monday. The company said it has observed about 20 attacks, occurring in almost daily bursts, starting July 25.
Huntress said post-compromise techniques span a mix of automated scripts and hands-on keyboard activities prior to Akira ransomware deployment. This includes the abuse of privileged accounts for administrative access, backdoor implants, lateral movements to steal credentials from multiple databases and a methodical disablement of security tools and firewalls.
Multiple attackers have gained access to internal networks via SonicWall devices. While there are some similarities across the various attacks, Huntress also noted some differences, suggesting multiple threat groups might be involved or attackers are adapting to situations upon gaining access.
SonicWall, a repeat offender
The active mass exploitation targeting SonicWall firewalls underscores the persistent risk the vendor’s customers have confronted for years. SonicWall has 14 entries on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021.
The more recent and ongoing attacks are targeting a next-generation firewall, unlike last month’s series of financially motivated attacks targeting organizations using fully patched, but outdated SonicWall Secure Mobile Access 100 series appliances. Half of the exploited vulnerabilities on CISA’s catalog affect SonicWall SMA 100 appliances, including three of the four defects actively exploited this year.
SonicWall’s recommendation to disable SSLVPN on Gen 7 firewalls, which allows users to establish encrypted connections to the corporate network, serves as an acknowledgment that the critical service can’t be trusted to serve its primary purpose. Many organizations require employees to access their corporate network via VPN.
SonicWall’s SSLVPN was the root of the problem in at least three actively exploited vulnerabilities on CISA’s known exploited vulnerabilities catalog, including CVE-2024-53704, CVE-2023-44221 and CVE-2021-20016.
Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year. Officials said Akira operators steal data and encrypt systems before threatening to publish data. Some Akira affiliates have also called victimized companies to apply further pressure, according to the FBI.
An investigation into the root cause of the attacks and origins of those responsible is ongoing.
