SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks.
The warning comes after Arctic Wolf Labs reported on Friday that it had observed multiple Akira ransomware attacks, likely using a SonicWall zero-day vulnerability, since July 15th.
"The initial access methods have not yet been confirmed in this campaign," the Arctic Wolf Labs researchers said. "While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases."
Arctic Wolf also advised SonicWall administrators on Friday to temporarily disable SonicWall SSL VPN services due to the strong possibility that a SonicWall zero-day vulnerability was being exploited in these attacks.
Cybersecurity company Huntress has also confirmed Arctic Wolf's findings on Monday and published a report providing indicators of compromise (IOCs) collected while investigating this campaign.
"A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware," Huntress warned. "Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach."
The same day, SonicWall confirmed it is aware of this campaign and published an advisory urging customers to secure their firewalls against ongoing attacks by:
Disabling SSL VPN services whenever possible,
Limiting SSL VPN connectivity to trusted source IP addresses,
Enabling security services such as Botnet Protection and Geo-IP Filtering to identify and block known threat actors targeting SSL VPN endpoints,
... continue reading