SonicWall VPNs are the target of ransomware that affects corporate networks
Cybercriminals have successfully breached at least 30 organizations using a vulnerability in SonicWall VPNs, security experts warn.
Earlier in 2024, SonicWall reported that it had discovered and patched a critical vulnerability in SonicWall SonicOS. This bug, tracked as CVE-2024-40766, has a severity rating of 9.3 (critical) and can result in unauthorized access to resources and even VPN crashes.
At the time, the company didn’t have any evidence of exploitation in the wild, but just a few weeks later, both new reports from Arctic Wolf and Rapid7 have now warned users to patch immediately after hackers started exploiting the flaw.
Akira dominates
The improper access control vulnerability affects Gen 5, Gen 6, and Gen 7 firewalls, as well as the SSLVPN feature of the firewalls. The researchers warned that the crooks were abusing them to deploy variants of the Akira and Fog ransomware. Akira, which seems to be the more active of the two, typically focuses on companies in the education, financial, real estate, manufacturing and consulting sectors.
Of the 30 registered victims, 75% were infected with Akira and the rest with Fog. However, it appears that the two threat actors are closely linked, sharing the same infrastructure and not competing for the same attack surface.
In addition to exploiting the SonicWall vulnerability, the researchers also said that the victims most likely did not have multi-factor authentication (MFA) enabled on the compromised SSL VPN accounts, which would make things a lot more difficult for the attackers. Moreover, they ran the services on the default port 4433, which also enhanced the attackers’ strengths.
βIn intrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or message event ID 1080 (SSL VPN zone remote user login allowed) was observed,β Arctic Wolf said. “After one of these messages, there were several SSL VPN INFO log messages (event ID 1079) indicating that the login and IP assignment were completed successfully.”
CVE-2024-40766 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal companies a deadline to fix their issues.
Via BleepingComputer