SonicWall says that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability rather than a zero-day flaw.
The company says that the attackers are targeting CVE-2024-40766, an unauthorized access flaw fixed in August 2024.
"We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability," reads the update on the SonicWall bulletin published this week.
"Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015."
CVE‑2024‑40766 is a critical SSLVPN access control flaw in SonicOS, allowing unauthorized access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in protected environments.
The flaw was exploited extensively following its disclosure roughly a year ago, including by Akira and Fog ransomware operators who leveraged it to breach corporate networks.
On Friday, Arctic Wolf Labs first hinted at the potential existence of a zero-day vulnerability in SonicWall Gen 7 firewalls, after noticing Akira ransomware attack patterns that supported this assumption.
SonicWall quickly confirmed that it is aware of an ongoing campaign, and advised customers to turn off SSL VPN services and limit connectivity to trusted IP addresses until the situation clears up.
Following internal investigations on 40 incidents, the vendor now disputes the possibility of attackers exploiting a zero-day vulnerability in its products.
Instead, SonicWall says the Akira attacks are targeting endpoints that did not follow the recommended course of action for mitigating CVE-2024-40766 when migrating from Gen 6 to Gen 7 firewalls.
... continue reading