Dive Brief:

• Attackers are actively exploiting a critical vulnerability in SonicWall SonicOS, the software powering the security vendor’s firewalls, according to researchers and federal cyber authorities.
• The Cybersecurity and Infrastructure Security Agency added CVE-2024-40766 to its known exploited vulnerabilities catalog on Monday. The software defect impacts SonicWall Gen 5 and Gen 6 devices, and Gen 7 devices running SonicOS version 7.0.1-5035 or older.
• SonicWall disclosed and patched the improper access control vulnerability, which has a CVSS of 9.3, on Aug. 22. Arctic Wolf and Rapid7 have observed ransomware groups compromising secure sockets layer VPN accounts on SonicWall devices for initial access in ransomware attacks.

Dive Insight:

The exploits and resulting exposure in enterprise networks mark yet another string of attacks targeting vulnerabilities in security gear from multiple vendors.

SonicWall's most recent updates on Friday warned the vulnerability was potentially exploited in the wild and urged customers to apply the patch. The company did not respond to a request for comment.

On Friday, Arctic Wolf said it observed Akira ransomware affiliate activity involving compromised accounts on local SonicWall firewalls. Multifactor authentication was disabled for all compromised accounts, according to the cybersecurity vendor.

“In retrospective analysis we found circumstantial evidence suggesting potential exploitation as early as the first week of August, but that’s not definitive,” Dan Schiappa, chief product and services officer at Arctic Wolf, said via email.

The lack of visibility in firewalls and VPN telemetry makes it difficult for researchers to attribute malicious activity to exploited vulnerabilities. Yet, Arctic Wolf observed enough data to indicate a threat to organizations relying on the SSL VPN feature of SonicWall firewalls using local authentication, Schiappa said.

Rapid7 also described evidence linking several attacks to CVE-2024-40766 exploits as circumstantial.

"We aren't able to attribute any incidents to this particular CVE with high confidence just yet,” Caitlin Condon, director of vulnerability intelligence at Rapid7, said via email. 

“We are also not observing targeting en masse of SonicWall devices at this time.”

SonicWall, government officials and researchers strongly encourage customers to upgrade to the latest supported SonicOS versions.

“SonicWall firewalls, like other network edge devices, are a high-value initial access vector for both financially motivated and advanced persistent threat adversaries,” Condon said.

Financially-motivated and nation-state linked attackers widely exploited vulnerabilities in network edge devices sold by Barracuda, Citrix, Fortinet, Ivanti, and Palo Alto Networks during the last couple years. Cybersecurity insurance firm At-Bay said remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year, in a May report.

“Exploiting CVE-2024-40766 can potentially give threat actors internal network access that positions them well to conduct follow-on attacks, including ransomware deployment,” Condon said.

Attackers can exploit the vulnerability in the SonicWall SonicOS management access and SSL VPN to gain unauthorized resource access and potentially cause the firewall to crash.