Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Critical SonicWall Vulnerability Possibly Exploited in Ransomware Attacks

A recently patched SonicWall vulnerability tracked as CVE-2024-40766 may have been exploited in ransomware attacks.

SonicWall

A recently patched SonicWall product vulnerability tracked as CVE-2024-40766 may have been exploited in ransomware attacks.

The critical flaw, disclosed on August 22, impacts SonicOS on Gen 5, Gen 6 and Gen 7 firewalls. The vulnerability, an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access or a firewall crash. 

SonicWall updated its advisory on Friday to inform customers that CVE-2024-40766 is “potentially being exploited in the wild”. 

The vendor has not shared any information on these attacks, but SOC company Arctic Wolf indicated that CVE-2024-40766 may have been exploited for initial access in Akira ransomware attacks.

“In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices,” the company said. 

“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766,” it added.

Arctic Wolf has not clearly stated that CVE-2024-40766 has been exploited in these ransomware attacks, but suggests that there is a strong possibility. 

The US cybersecurity agency CISA has yet to add CVE-2024-40766 to its Known Exploited Vulnerabilities (KEV) catalog. Entries in CISA’s KEV catalog typically specify whether a flaw has been known to be exploited in ransomware attacks.

Advertisement. Scroll to continue reading.

Cybersecurity firm Blackpoint has also seen attacks targeting SSLVPN for initial access, but it could also not confirm that CVE-2024-40766 had been exploited. The company has promised to share more details on September 10.

“While the Blackpoint Active SOC team has recently combatted SSLVPN initial access compromise within our managed environments, we have NOT confirmed explicit indicators of compromise (IoCs) in our partners’ environments showing threat actor exploitation of SonicWall CVE-2024-40766,” the company noted. 

Threat actors have been known to exploit vulnerabilities in SonicWall products, including zero-days. Last year, Mandiant reported that it had identified sophisticated malware believed to be of Chinese origin on a SonicWall appliance.

Hundreds of thousands of SonicWall firewalls are exposed to the internet and could be vulnerable to attacks.

UPDATE: CISA has added CVE-2024-40766 to its KEV catalog, but the agency does not confirm exploitation in ransomware attacks. In addition, Rapid7 has also seen what may be in-the-wild exploitation of the vulnerability, but it does not have hard evidence that CVE-2024-40766 was exploited in the attacks.

Related: SonicWall Patches Critical Vulnerability in Firewall Appliances

Related: 180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE

Related: SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.