SonicWall said Monday that it is investigating whether a recent surge in attacks targeting its Gen 7 firewalls is related to a possible zero-day vulnerability or exploitation of an existing flaw.
The warnings follow an Aug. 1 Arctic Wolf report about hackers deploying the Akira ransomware variant in attacks that began on July 15.
Researchers saw an uptick in hands-on-keyboard activity last week and warned that the attacks were targeting fully patched devices after their users had rotated credentials.
SonicWall said the current attacks are similar to a series of hacks last year involving an improper access control vulnerability tracked as CVE-2024-40766.
Researchers at Huntress said on Monday that the activity — which involves hackers bypassing multifactor authentication and deploying ransomware — likely reflects the existence of a zero-day vulnerability. Huntress has observed approximately 20 such attacks since July 25.
John Hammond, principal security researcher at Huntress, said researchers have moderate to high confidence of a zero-day linkage, as the breadth of activity appears to narrow the options of what this could be.
“I’ll admit, I don’t have the bottom line, the root cause analysis down quite yet,” Hammond told Cybersecurity Dive, “But seeing something like brute force credentials or some MFA bypass as widely as this doesn’t seem to be the right answer.”
The compromises may be limited to SonicWall’s TZ and Nsa firewalls with SSLVPN enabled, according to Huntress. In addition, researchers said the vulnerability involves versions 7.2.0-7015 and earlier.
Sophos reports it has picked up 10 incidents either through managed detection and response software or incident response, since July 23, according to Alexandra Rose, director of threat research, Sophos Counter Threat Unit.
“While our current observations are primarily from U.S.-based organizations, this does not indicate that the U.S. is the only region affected,” Rose said.
SonicWall is urging customers to disable SSLVPN services when it is practical to do so and otherwise limit SSL VPN to trusted sources. The company also said customers should enforce multifactor authentication and enable botnet filtering and Geo-IP filtering. It also said organizations should delete any unused accounts and encourage all users to update their passwords.
SonicWall devices have faced a series of attack campaigns in recent months. In mid-July, Google researchers warned that a threat actor tracked as UNC6148 had been targeting end-of-life SonicWall SMA 100 appliances
