Full Report
The vendor ruled out a zero-day vulnerability as the root cause, disputing initial assessments from third-party researchers. Fewer than 40 organizations have been impacted since mid-July. The post SonicWall pins firewall attack spree on year-old vulnerability appeared first on CyberScoop.
Analysis Summary
# Incident Report: Mass Exploitation of SonicWall Gen 7 Firewalls via Patched Vulnerability
## Executive Summary
A series of ransomware attacks targeted SonicWall Gen 7 firewalls, beginning in mid-July, resulting in compromise of fewer than 40 organizations. SonicWall attributes the attacks to exploitation of a previously disclosed and patched critical improper access control vulnerability, **CVE-2024-40766**, rather than a new zero-day. The primary impact involves ransomware deployment, primarily by Akira affiliates, targeting unpatched or misconfigured devices, leading to potential data encryption and extortion. Response centered on patching the known CVE and advising customers to reset credentials.
## Incident Details
- Discovery Date: Mid-July (when attacks started increasing in pace)
- Incident Date: Attacks started in mid-July
- Affected Organization: Fewer than 40 organizations using SonicWall Gen 7 firewalls.
- Sector: Various (Implied; attacks observed across multiple customers)
- Geography: Not explicitly disclosed, though attributed to global ransomware groups.
## Timeline of Events
### Initial Access
- Date/Time: Mid-July onwards
- Vector: Exploitation of SonicWall Gen 7 firewalls via the SSL VPN protocol.
- Details: Attackers leveraged **CVE-2024-40766** (Improper Access Control, CVSS 9.8, disclosed Aug 22, 2024, added to CISA KEV Sept 9, 2024). Some affected customers had recently migrated from Gen 6 to Gen 7 without resetting passwords.
### Lateral Movement
- Details: If initial administrative accounts were compromised via the CVE, attackers could exploit administrative features (packet capture, debugging, logging, configuration backup, MFA control) to obtain additional credentials and weaken security posture, facilitating further internal movement.
### Data Exfiltration/Impact
- Details: The primary goal appears to be ransomware detonation, mostly involving **Akira ransomware**. Akira affiliates typically steal data before encryption to enable double extortion tactics.
### Detection & Response
- Detection: Identified by external security researchers (Arctic Wolf, Huntress, GuidePoint) and confirmed by SonicWall's investigation as attacks rapidly sped up over the weeks following mid-July.
- Response actions taken: SonicWall advised customers to change credentials and upgrade to SonicOS 7.3.0 (which includes additional MFA controls). Initial guidance to disable SSLVPN on Gen 7 firewalls was withdrawn.
## Attack Methodology
- Initial Access: Exploitation of vulnerable SonicOS utilizing **CVE-2024-40766**.
- Persistence: Implied through the use of compromised administrative features or established footholds post-initial access.
- Privilege Escalation: Potential exploitation of administrative features (e.g., packet capture, config backups) to gain further credentials.
- Defense Evasion: Attackers successfully exploited a known vulnerability that should have been patched or mitigated by configuration changes.
- Credential Access: Implied using compromised admin interfaces or subsequent privilege escalation methods.
- Discovery: Standard reconnaissance techniques likely employed post-access to map the internal network.
- Lateral Movement: Achieved by leveraging compromised credentials and administrative features.
- Collection: Stolen data prior to encryption (typical Akira TTP).
- Exfiltration: Data theft prior to ransomware deployment.
- Impact: Ransomware detonation (Akira).
## Impact Assessment
- Financial: Not quantified, but involved extortion payments leveraged by Akira ransomware affiliates.
- Data Breach: Undisclosed volume or type, but data theft occurred prior to encryption as part of Akira's double extortion model.
- Operational: Deployment of ransomware causing disruption to network operations.
- Reputational: Negative impact on SonicWall due to mass exploitation of its firmware, despite the vendor citing a previously disclosed patch.
## Indicators of Compromise
- Network indicators: Exploitation attempts targeting the SSL VPN component vulnerable under CVE-2024-40766 (Defanged: `hxxp://[vulnerable_ip]:[port]`).
- File indicators: Presence of Akira ransomware strains.
- Behavioral indicators: Use of compromised administrative features like packet capture or MFA control modification on the firewall.
## Response Actions
- Containment: Implied necessity for victims to isolate affected segments and block external access to vulnerable VPN endpoints lacking the patch.
- Eradication: Required resetting all potentially compromised credentials, especially administrative and local accounts associated with the firewall.
- Recovery actions: Upgrading firmware to SonicOS 7.3.0 and applying multi-factor authentication controls.
## Lessons Learned
- Patch management is critical: Even if a vulnerability is known and a patch released (CVE-2024-40766 was disclosed months prior), widespread exploitation occurs if patches are not applied universally, especially post-migration to new hardware (Gen 7).
- Configuration hygiene matters: Attackers exploited issues in newer Gen 7 installs that migrated from Gen 6 without proper security resets (passwords).
- False attribution challenges: The rapid scale of attacks led researchers to suspect a new zero-day, highlighting the difficulty in immediately differentiating between a known exploited CVE and novel exploitation under pressure.
## Recommendations
- Immediately verify all SonicWall Gen 7 appliances are running SonicOS 7.3.0 or newer, ensuring the patch for CVE-2024-40766 is fully applied.
- Enforce immediate and mandatory password resets for all local administrator accounts on all network devices.
- Deploy Multi-Factor Authentication (MFA) on all remote access vectors, including SSL VPN, as recommended by the vendor's updated guidance.
- Security teams should treat vulnerabilities that have been added to CISA's KEV catalog with the highest urgency, regardless of previous disclosures.