A critical access control vulnerability affecting SonicWall’s SonicOS network access solutions, SSLVPN, and management access, is being excessively exploited by ransomware affiliates for breaching victims’ networks.
Arctic Wolf researchers observed that the Virtual Private Network (VPN) access control flaw, tracked as CVE-2024-40766 with a CVSS rating of 9.3 out of 10, has been exploited actively by the Fog and Akira ransomware affiliates.
“In early August, Arctic Wolf Labs began observing a marked increase in Fog and Akira ransomware intrusions where initial access to victim environments involved the use of SonicWall SSL VPN accounts,” the researchers said in a report. They added they’ve observed “an influx of at least 30 intrusions across a variety of industries, each involving SonicWall SSL VPN early in the cyber kill chain.”
The company fixed the SonicOS flaw in late August 2024, with a disclaimer published a week later that the flaw was potentially being exploited in the wild.
Used in the initial infection
Parallel to SonicWall’s warning of the flaw’s active exploitation in September 2024, Arctic Wolf researchers had said they had been seeing an Akira ransomware campaign targeting the compromised SSLVPN accounts.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” researchers had added in a report. MFA was disabled in all the affected devices, and all affected devices ran a version compromised with CVE-2024-40766.
Now, a month later, the researchers tracking the exploitation are still observing an increased number of Fog and Akira infections involving compromised SonicWall devices. Seventy-five percent of these infections deployed Akira ransomware, while the remaining 25% of them dropped the Fog encryption payloads.
It is important to note, however, that Arctic Wolf research has no definitive evidence, neither from before August nor now, of the SonicWall flaw being actually exploited in the intrusions they investigated. The “strong conclusion” is simply drawn on the fact that all SonicWall devices found involved in the ransomware infections were running firmware versions affected by CVE-2024-40766.
“Additionally, in intrusions where firewall telemetry was available, malicious SonicWall SSL VPN login events were observed that originated from VPS (Virtual Private Server) hosting providers.” the researchers added, justifying their association.
Patch available with other ‘disabling’ workarounds
The affected SonicOS versions included 5.9.2.14-12o and older, 6.5.4.14-109n and older, and 7.0.1-5035 and older, which were fixed in versions 5.9.2.14-13o, 6.5.4.15.116n, and 7.0.1-5072, respectively.
SonicWall and Arctic Wolf strongly recommend that the affected users upgrade to the latest supported SonicOS firmware versions. Additionally, the SonicWall advisory recommends that all users of Gen5 and Gen6 devices update their passwords to prevent unauthorized access. Disabling the affected services was also included as a workaround to this issue in the SonicWall advisory.
“To minimize potential impact, SonicWall recommends restricting firewall management to trusted sources or disabling firewall WAN management from Internet access,” the company said. “Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet.”