Patch now! Attacks on SonicWall firewalls observed again

A vulnerability in certain SonicWall firewalls has repeatedly been targeted by attackers. Security updates have been available for around a year, but have apparently still not been installed across the board.

Background

The "critical" vulnerability (CVE-2024-40766) has been known since August last year. The first attacks occurred as early as September 2024. In October of the same year, the Akira and Fog ransomware gangs exploited the vulnerability.

Attacks on SonicWall firewalls then hit the headlines again in August of this year. Security researchers initially suspected a zero-day vulnerability as a starting point for attackers. However, it turned out relatively quickly that the vulnerability from 2024 had been exploited again.

As can be seen from the initial warning message from SonicWall, the vulnerability in the SSLVPN component affects certain Gen 5, Gen 6 and Gen 7 series firewalls listed in the article. The gap is closed from versions 5.9.2.14-13o, 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800), 6.5.4.15.116n (for other Gen6 firewall appliances), and 7.0.1-5035.

If attacks are successful, attackers can crash instances and gain unauthorized access. In addition to installing the security updates, admins should also change their access data. It should also be ensured that multi-factor authentication (MFA) is switched on.

Status quo

There are now new reports from security researchers, including Rapid7, that Akira is once again targeting the vulnerability. They are said to gain higher user rights, copy and encrypt files, and stop backup processes. The extent of the attacks is currently unknown. Admins should make absolutely sure that their appliances are protected against the described attack.

(des)