Dive Brief:

• Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
• SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
• “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.

Dive Insight:

The potential for additional victim organizations is extensive. The latent risk extends to SonicWall customers who haven’t patched the critical vulnerability in SonicOS, the software powering the security vendor’s firewalls.

“The vulnerability described in the CVE impacts more than 300,000 appliances under support, so there are potentially thousands of organizations impacted,” Fitzgerald said.

About half of customers using newer SonicWall Gen 7 devices have upgraded their firmware, and around 30% of units running Gen 6.5 and older have patched the vulnerability with a software update, Fitzgerald said.

Threat groups linked to these attacks are targeting a broad swath of industries and organizations of various sizes, Kerri Shafer-Page, VP of digital forensics incident response at Arctic Wolf, said Thursday via email.

SonicWall added it isn’t aware of any patterns suggesting specific types of organizations or industries are being targeted.

Attackers encrypted and stole data as part of their attacks. In one case, up to 30 months of sensitive information from human resources and accounts payable departments was stolen, according to Arctic Wolf. During encryption, attackers focused on storage of virtual machines and their backups.

Time between initial access to ransomware or encryption ranged from 90 minutes to 10 hours, according to Arctic Wolf.

Akira ransomware was deployed in 3 in 4 attacks observed by Arctic Wolf, and Fog ransomware was deployed in the remainder.

SonicWall said it does not disclose details shared by customers or information about ransomware attacks against its customers. “SonicWall is not otherwise aware of operational disruptions, data leaks, extortion demands or payments linked to the attempted intrusion activity observed,” Fitzgerald said.

Arctic Wolf Labs said it hasn’t observed definitive evidence linking the intrusions to CVE-2024-40766 exploits, but initial access to victim environments involved the use of SonicWall secure sockets layer VPN accounts.

All SonicWall devices involved in these attacks were running firmware versions affected by the vulnerability, Arctic Wolf Labs researchers said.

Security researchers first warned about ransomware groups compromising SSL VPN accounts on SonicWall devices for initial access in ransomware attacks in early September.

Since disclosing the vulnerability in August, SonicWall said it initiated a call campaign and sent multiple security bulletins to partners and customers. The company also said it shared information with incident response firms, government agencies and law enforcement.