SonicWall Investigates Surge in Attacks on Gen 7 Firewalls

SonicWall, a prominent player in the cybersecurity landscape, announced on Monday that it is actively investigating a recent surge in attacks targeting its Gen 7 firewalls. This alarming uptick in malicious activity has raised concerns about a potential zero-day vulnerability or the exploitation of an existing flaw within the devices. The urgency of the situation is underscored by the company’s commitment to ensuring the security of its users.

Recent Attack Trends

The warnings from SonicWall come in the wake of an August 1 report by Arctic Wolf, which detailed how hackers have been deploying the Akira ransomware variant in attacks that began on July 15. This report highlighted a significant increase in hands-on-keyboard activity, indicating that attackers are not only probing for vulnerabilities but are actively exploiting them. Alarmingly, these attacks have targeted fully patched devices, suggesting that even organizations that believe they are secure may be at risk.

Similarities to Previous Vulnerabilities

SonicWall noted that the current wave of attacks bears similarities to a series of hacks from the previous year, which involved an improper access control vulnerability tracked as CVE-2024-40766. This historical context raises questions about whether the current incidents are part of a broader trend of exploitation targeting SonicWall products.

Insights from Security Researchers

Researchers at Huntress provided further insights into the situation, suggesting that the ongoing activity—characterized by hackers bypassing multifactor authentication and deploying ransomware—likely indicates the presence of a zero-day vulnerability. Since July 25, Huntress has observed approximately 20 such attacks, reinforcing the notion that this is not an isolated incident.

John Hammond, a principal security researcher at Huntress, expressed moderate to high confidence in the zero-day linkage, noting that the breadth of the activity narrows down the potential causes. He remarked, “Seeing something like brute force credentials or some MFA bypass as widely as this doesn’t seem to be the right answer.” This statement underscores the complexity of the threat landscape and the need for ongoing vigilance.

Affected Devices and Versions

The compromises appear to be limited to SonicWall’s TZ and NSA firewalls with SSLVPN enabled. Researchers have identified that the vulnerability affects versions 7.2.0-7015 and earlier. This specificity is crucial for organizations to assess their risk and take appropriate action.

Broader Impact and Observations

Sophos, another cybersecurity firm, reported that it has identified 10 incidents through its managed detection and response software or incident response since July 23. Alexandra Rose, director of threat research at Sophos Counter Threat Unit, noted that while most observations have come from U.S.-based organizations, this does not imply that the U.S. is the only region affected. The global nature of cybersecurity threats necessitates a comprehensive approach to defense.

Recommendations for SonicWall Customers

In light of these developments, SonicWall is urging its customers to take immediate action. The company recommends disabling SSLVPN services whenever practical and limiting SSLVPN access to trusted sources. Additionally, organizations are advised to enforce multifactor authentication, enable botnet filtering, and implement Geo-IP filtering. SonicWall also emphasizes the importance of deleting any unused accounts and encouraging all users to update their passwords regularly.

Ongoing Threat Landscape

The recent surge in attacks on SonicWall devices is not an isolated incident. In mid-July, Google researchers warned that a threat actor known as UNC6148 had been targeting end-of-life SonicWall SMA 100 appliances. This highlights a concerning trend of persistent threats aimed at exploiting vulnerabilities in aging infrastructure.

Conclusion

As SonicWall continues its investigation into the recent surge of attacks on its Gen 7 firewalls, the cybersecurity community remains on high alert. The potential existence of a zero-day vulnerability underscores the need for organizations to remain vigilant and proactive in their security measures. By following best practices and staying informed about emerging threats, businesses can better protect themselves in an increasingly complex digital landscape.