SonicWall VPNs targeted by ransomware hitting corporate networks

Researchers have been warning about this flaw for some time

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have successfully breached at least 30 organizations using a vulnerability in SonicWall VPNs, security experts have warned.

Earlier in 2024,SonicWall reporteddiscovering, and patching, a critical vulnerability in the SonicWall SonicOS. This bug, which is tracked as CVE-2024-40766, has a severity score of 9.3 (critical), and can result in unauthorized resource access, and even crashes of the VPN.

At the time, the company did not have any evidence of in-the-wild abuse, however just a few weeks later, both new reports from Arctic Wolf and Rapid7 have now warned users to patch immediately after hackers started exploiting the flaw.

Akira dominating

Akira dominating

The improper access control vulnerability is affecting Gen 5, Gen 6, and Gen 7 firewalls, as well as the firewalls’ SSLVPN feature. The researchers warned that the crooks were abusing them to deploy Akira and Fogransomwarevariants. Akira, which seems to be the more active of the two, usually targets firms in education, finance, real estate, manufacturing, and consulting industries.

Of the 30 recorded victims, 75% were infected with Akira, and the rest with Fog. However, it seems that the two threat actors are deeply connected, sharing the same infrastructure, and are not competing for the same attack surface.

Besides abusing the SonicWall vulnerability, the researchers also said that the victims most likely did not have multi-factor authentication (MFA) enabled on the compromised SSL VPN accounts, which would make things a lot more difficult for the attackers. Furthermore, they were running the services on the default port 4433, which also played to the attackers’ strengths.

“In intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) were observed,” Arctic Wolf said. “Following one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP assignment had completed successfully.”

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

CVE-2024-40766 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal firms a deadline to patch up.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

HPE reveals critical security bug affecting networking access points