A new wave of attacks, according to SonicWall, utilizes a known vulnerability rather than a zero-day flaw.
The SonicWall Gen 7 firewall attacks have been linked to a previously disclosed and patched vulnerability, CVE-2024-40766, not a new zero-day exploit. The attacks mainly exploit improper access control in SonicOS management and SSL VPN, and many incidents are tied to migration from Gen 6 to Gen 7 firewalls where local administrator passwords were carried over without resetting.
To securely prevent further intrusions, SonicWall and security researchers strongly recommend immediate password resets for all local administrator and relevant LDAP/Active Directory account passwords, especially if migrated from Gen 6 to Gen 7 without password changes. It is also advisable to review firewall logs, packet captures, configuration backups, MFA settings, and recent configuration changes for any unusual or suspicious activity.
Updating firewall firmware to SonicOS 7.3 or later, which includes enhancements strengthening password protections and blocking brute-force and MFA bypass attempts, is another critical step. Rotating any credentials that may have been exposed due to exploitation is also essential to prevent attackers from leveraging administrative features like packet capture or configuration changes.
These steps are crucial because compromised local administrator accounts can allow attackers to perform administrative functions that weaken security or facilitate further credential theft. The number of confirmed incidents remains low (under 40), reflecting limited but serious targeted attacks.
The attacks began in July with the deployment of Akira ransomware in a series of opportunistic attacks. SonicWall confirmed a wave of attacks targeting SonicWall 7 customers since July. Exploitation or access to SonicWall Gen 7 firewall appliances was across a couple of different firmware versions and a wide variety of appliances, according to Michael Tigges, SonicWall's product security officer.
Security firms such as Huntress have reported a growing number of customers experiencing intrusions, indicating that SonicWall's tally of 40 may soon grow. Huntress researchers advise rotating both local credentials and LDAP account credentials used for Active Directory integration. They also recommend reviewing firewall logs and configuration changes for any unusual activity.
In summary, the vulnerability CVE-2024-40766 is patched, but attacks persist largely due to reused passwords and insufficient post-migration security hygiene. Password resets, firmware updates, and thorough security audits form the key defense strategy against this threat. There is no evidence of a zero-day vulnerability being involved in these attacks.
SonicWall has released guidance on how to change credentials for users, and it is strongly advised that users follow these instructions to secure their firewalls. It is crucial to stay vigilant and proactive in maintaining cybersecurity, especially in the face of ongoing threats like these SonicWall Gen 7 firewall attacks.
- To ensure the protection of firewalls against the ongoing SonicWall Gen 7 firewall attacks, it's crucial to follow SonicWall's guidance on changing credentials for users.
- Password resets for local administrator and relevant LDAP/Active Directory account passwords, especially after migration from Gen 6 to Gen 7 without password changes, are vital steps in securing firewalls.
- Security firms are recommending reviewing firewall logs, configuration changes, and MFA settings for any unusual activity as part of the defense strategy against the SonicWall Gen 7 firewall attacks.
