Enterprise security company SonicWall is urging its customers to disable a core feature of its most recent line-up of firewall devices after security researchers reported an uptick in ransomware incidents targeting SonicWall customers.
In a statement this week, SonicWall said it had observed a “notable increase” of security incidents targeting its Generation 7 firewalls where customers have its VPN enabled. The company said it is “actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”
The company’s alert comes as security researchers say they have identified hackers targeting SonicWall devices to gain initial access to a victim’s network.
Hackers are increasingly targeting enterprise products, like firewalls and VPNs, which work as digital gatekeepers, allowing legitimate employees access to the company’s network. But security flaws in these products can allow malicious hackers in, enabling attackers to launch data-stealing or destructive attacks.
Security firm Arctic Wolf said it has seen intrusions targeting SonicWall customers as far back as mid-July. The company said “available evidence points to the existence of a zero-day vulnerability,” referring to a security bug that was discovered and exploited before the vendor could patch the issue.
The researchers said they witnessed a short gap between the exploitation of the SonicWall firewall and the subsequent deployment of file-encrypting malware, or ransomware.
Huntress Labs, another cybersecurity firm, said it is “likely” that a zero-day bug in SonicWall firewalls is to blame for the attacks, and warned that the hackers exploiting the bug have been seen gaining access to a company’s domain controllers, which manages the devices and users on that network.
In its blog, Huntress said it believes the Akira ransomware gang is behind some of the attacks targeting SonicWall customers. Akira has been known to target enterprise products, like Fortinet firewalls, to break into large networks.
“This is a critical, ongoing threat,” wrote Huntress.
