SonicWall Discovers No SSL VPN Zero-Day Vulnerabilities, Connects Ransomware Attacks to 2024 Security Flaw

SonicWall has reported that recent Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability, specifically CVE-2024-40766, rather than a zero-day flaw. This critical access control flaw, which was fixed in August 2024, allows unauthorised access to vulnerable endpoints, enabling attackers to hijack sessions or gain VPN access in protected environments. SonicWall expressed high confidence that the recent SSLVPN activity is correlated with CVE-2024-40766, as detailed in their public advisory SNWLID-2024-0015. Following internal investigations of 40 incidents, the company clarified that the attacks are primarily affecting endpoints that did not adhere to recommended mitigation strategies during the migration from Gen 6 to Gen 7 firewalls, particularly regarding local user password resets.

In light of these findings, SonicWall has advised customers to disable SSLVPN services and restrict connectivity to trusted IP addresses until the situation is resolved. The recommended actions include updating firmware to version 7.3.0 or later, which offers enhanced brute-force and Multi-Factor Authentication protections, and resetting all local user passwords, especially those associated with SSLVPN. Despite SonicWall’s guidance, some customers have expressed scepticism on platforms like Reddit, citing breaches on accounts that were created post-migration and alleging that SonicWall declined to review their logs. These conflicting reports, coupled with the ambiguous language in SonicWall’s update, underscore the importance of vigilance and prompt implementation of the recommended security measures. 

Categories: Ransomware Attacks, Vulnerability Exploitation, Security Recommendations 

Tags: SonicWall, Akira, Ransomware, CVE-2024-40766, SSLVPN, Vulnerability, Gen 7, Firewalls, Unauthorized Access, Firmware