Fraud Management & Cybercrime
,
Network Firewalls, Network Access Control
,
Ransomware
Akira Ransomware Exploited MFA-Protected SonicWall SSL VPNs, Say Researchers
Ransomware-wielding attackers are actively exploiting multiple types of SonicWall devices, potentially by exploiting a zero-day vulnerability.
“SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSL VPN enabled,” a spokesperson for the Milpitas, California-based vendor told Information Security Media Group.
A security alert published Monday came on the heels of multiple cybersecurity firms seeing a surge in attacks against Gen 7 firewalls, which appear to succeed even if multifactor authentication defenses are enabled. At least some of these attacks resulted in victims being infected with Akira ransomware.
The SonicWall spokesperson said the company is working with outside cybersecurity firms. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.”
Multiple researchers suspect a zero-day. “The speed and success of these attacks – even against environments with MFA enabled – strongly suggest a zero-day vulnerability is being exploited in the wild,” Huntress said in a Monday blog post.
Huntress said it has evidence the compromise may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled. “We can confirm that the suspected vulnerability exists in firmware versions 7.2.0-7015 and earlier.” SonicWall released the SonicOS firmware version 7.2.0-7015 in April – the most recent 7.2 version.
Arctic Wolf said in a Friday alert that the earliest signs of these attacks date back to at least July 15, although they came to light somewhat later. It said it saw “multiple pre-ransomware intrusions” within a short period of time, each involving VPN access through SonicWall SSL VPNs, even when MFA was enabled.
Artic Wolf said it can’t discard the possibility that hackers are conducting brute force or credential stuffing attacks. But “available evidence points to the existence of a zero-day vulnerability.” If this attack against SonicWall’s Gen 7 firewalls turns out to involve a zero-day vulnerability, this would be the second such flaw to come to light in SonicWall VPNs this year.
Buttressing the zero-day theory is the fact that attackers penetrated SonicWall devices for which credentials were recently rotated, meaning that if hackers had previously somehow obtained credentials, they wouldn’t be valid.
Huntress said it has seen about 20 different attacks targeting vulnerable devices since July 25 and many have similarities. “It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter.”
Attackers typically rapidly take over privileged accounts, install a backdoor, move laterally on the network and harvest credentials – including for offline cracking – and disable security tools. The final step is deploying ransomware. In the cases Huntress is tracking, the crypto-locking malware was built by the Akira ransomware-as-a-service operation. Arctic Wolf likewise said it’s seen Akira-wielding attackers exploiting the devices.
Akira is a major ransomware operation and has a history of targeting critical infrastructure organizations’ external-facing services, including Cisco and other VPN servers, as well as exploiting poorly secured remote desktop protocol, abusing stolen credentials and phishing attacks.
Attackers Seek Edge Devices
Security experts said the ability of a ransomware group to exploit edge devices in novel ways is a byproduct of their illicit business success.
“There continues to be an evolution where ransomware groups have better technical exploitation capability than nation states, because victims are giving them R&D budgets of hundreds of millions of dollars,” said British cybersecurity expert Kevin Beaumont in a post to social platform Mastodon.
Beaumont said he too has tracked a surge in victims of Akira.
Edge devices – and the initial access they provide to corporate environments – are a top target for cybercriminals and nation-state hackers. Even before this wave of attacks, SonicWall hardware has been no exception (see: Hackers Use Backdoor to Steal Data From SonicWall Appliance).
Only days ago, the company published an “urgent advisory for addressing rootkits and other critical vulnerabilities in SonicWall SMA 100 series appliances,” following attackers actively targeting vulnerabilities in physical and virtual versions of those appliances, in an apparently distinct wave of attacks.
The attacks came to light in mid-July, when researchers at Google Threat Intelligence Group reported seeing attackers actively exploit the SonicWall Secure Mobile Access 100 series appliances, although the researchers said how the attackers gained initial access was unclear.
On Wednesday, Google’s Threat Intelligence Group updated the indicators of compromise it has assembled to track attacks by what appears to be a financially motivated threat actor that it tracks as UNC6148, which targets fully patched but end-of-life SonicWall SMA 100 series appliances for which attackers previously stole valid credentials (see: Hackers Use Backdoor to Steal Data From SonicWall Appliance).
The researchers said the attackers have been exploiting CVE-2024-38475 for patch traversal and session hacking. SonicWall first patched the flaw in December 2024 by issuing updated firmware and subsequently issued updated advisories as new exploitation techniques came to light.
Attackers who exploited the flaw were deploying “a persistent and stealthy user-mode rootkit” codenamed Overstep, as well as using “previously stolen administrator credentials and OTP secrets to regain access to patched systems” even after they got booted out, SonicWall said. Among its features, Overstep includes the ability to steal credentials and one-time password secrets.
To gain initial access, UNC6148 “may have used an unknown zero-day remote code execution vulnerability to deploy Overstep on opportunistically targeted SonicWall SMA appliances,” Google researchers said.
SonicWall urged customers to update to patched firmware and enable multiple hardening measures. If organizations suspected their devices were compromised with Overstep, SonicWall said they must rebuild the affected system, since that is the only way to ensure the rootkit’s full removal. Firms would also have to reset one-time password app bindings for all users – meaning they would have to “re-bind their mobile authenticator apps,” such as Google Authenticator, when they next logged in – so attackers cannot reuse the stolen OTPs.
Whether those attacks on SonicWall SSL VPN SMA 100 Series appliances are related in any way to a potential zero-day vulnerability being targeted in SonicWall’s Gen 7 firewalls is unclear.
