SonicWall urges customers to take VPN devices offline after ransomware campaign

Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations. 

Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.

SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign. 

The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said. 

SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found. 

The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.

At least 20 incidents

Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.

“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.

The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.

When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”

Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”

Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.

A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment. 

“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said. 

He confirmed that the incidents Huntress examined also involved Akira ransomware. 

'This isn't isolated'

Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.

“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained. 

“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”

SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.

Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.