A recently patched SonicWall product vulnerability tracked as CVE-2024-40766 may have been exploited in ransomware attacks.
The critical flaw, disclosed on August 22, impacts SonicOS on Gen 5, Gen 6 and Gen 7 firewalls. The vulnerability, an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access or a firewall crash.
SonicWall updated its advisory on Friday to inform customers that CVE-2024-40766 is “potentially being exploited in the wild”.
The vendor has not shared any information on these attacks, but SOC company Arctic Wolf indicated that CVE-2024-40766 may have been exploited for initial access in Akira ransomware attacks.
“In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices,” the company said.
“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766,” it added.
Arctic Wolf has not clearly stated that CVE-2024-40766 has been exploited in these ransomware attacks, but suggests that there is a strong possibility.
The US cybersecurity agency CISA has yet to add CVE-2024-40766 to its Known Exploited Vulnerabilities (KEV) catalog. Entries in CISA’s KEV catalog typically specify whether a flaw has been known to be exploited in ransomware attacks.
Cybersecurity firm Blackpoint has also seen attacks targeting SSLVPN for initial access, but it could also not confirm that CVE-2024-40766 had been exploited. The company has promised to share more details on September 10.
“While the Blackpoint Active SOC team has recently combatted SSLVPN initial access compromise within our managed environments, we have NOT confirmed explicit indicators of compromise (IoCs) in our partners’ environments showing threat actor exploitation of SonicWall CVE-2024-40766,” the company noted.
Threat actors have been known to exploit vulnerabilities in SonicWall products, including zero-days. Last year, Mandiant reported that it had identified sophisticated malware believed to be of Chinese origin on a SonicWall appliance.
Hundreds of thousands of SonicWall firewalls are exposed to the internet and could be vulnerable to attacks.
UPDATE: CISA has added CVE-2024-40766 to its KEV catalog, but the agency does not confirm exploitation in ransomware attacks. In addition, Rapid7 has also seen what may be in-the-wild exploitation of the vulnerability, but it does not have hard evidence that CVE-2024-40766 was exploited in the attacks.
Related: SonicWall Patches Critical Vulnerability in Firewall Appliances
Related: 180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE
Related: SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products