Continued Exploit of SonicWall Vulnerability in Ransomware Attacks

By Kalani Anderson on November 1, 2024

Executive Summary

On August 21, 2024, SonicWall disclosed in a security advisory a vulnerability relating to its SonicOS management access and SSLVPN services, providing threat actors with unauthorized access and the ability to crash the firewalls of impacted systems.  The Improper Access Vulnerability, CVE-2024-40766, was believed to have been fully addressed in a patch update that was released several days after its disclosure, and at the time was thought to not actively be exploited.  Despite this, in September, Arctic Wolf discovered that the vulnerability was being used by known ransomware group Akria and the ransomware variant, FOG.  To mitigate further vulnerability to ransomware attacks, systems operating SonicWall devices are strongly encouraged to update their systems to the most current versions.

Background

SonicWall is a cyber security company that is known for offering a wide range of cyber security services and products.  They are especially known for their endpoint security, cloud security services, and their selection of firewalls [1].  The vulnerability CVE-2024-40766, was first discovered in August and was promptly addressed by SonicWall.  However, despite this vulnerability being addressed, researchers from Arctic Wolf, a cyber security service company,  discovered that the vulnerability was actively being used in ransomware attacks.  These ransomware attacks are thought to be done by the FOG and Akira ransomware affiliates against SSLVPN users on SonicWall devices [2][3].  The SonicWall SSLVPN provides users with the ability to remotely access the NetExtender application which provides users with the ability to remotely access network resources [4].  By targeting SSLVPN users, it widens the area of attack by the threat actors since the application provides remote access to networks and any sensitive data that resides on the network.  The initial vulnerability was determined to have a base score of 9.3, indicating that it was a critical vulnerability that should be addressed immediately to avoid further exploitation [5].

Exploitation

While not fully disclosed how the vulnerability was being exploited, it is known that the SonicWall Firewalls that were affected spanned several different generations; including Gen 5, Gen 6, and Gen 7 [6].  Additionally, accounts that were compromised by the ransomware attacks, all failed to utilize multi factor authentication (MFA) and were running outdated SonicWall devices still susceptible to the CVE-2024-40766 vulnerability.  Poor firewall configurations, poor password management and user authentication, and failure to enforce secure system privileges relating to the user SSLVPN accounts, are all believed to be methods for how the vulnerability was exploited.  Once obtaining access to the systems, ransomware attackers would quickly move to encrypt virtual machine data and their subsequent backups, primarily focusing on recent data files no older than 6 months [7].

Significance and Impact

While the full extent of the vulnerability was not fully disclosed to the public, SonicWall provides services to thousands of clients globally.  In 2020, SonicWall published that they provided services to over 500,00 customers, making it fair to assume that there are at least a million systems utilizing their services [8].  In addition, ransomware attacks can be extremely dangerous and have grave impacts on organizations.  These types of attacks impact the principles of cyber security, confidentiality, integrity, and availability.  A successful ransomware attack can lead to the disruption of organizational operations, loss of system and data availability, and manipulation of sensitive information, with the attacker demanding payment in return for the release of impacted services and encrypted data [9].

Mitigation

To mitigate further risk and exploitation to system services, both SonicWall and Arctic Wolf strongly encourage users of SonicOS to update their SonicWall devices [3].  SonicWall also recommends that organizations reassess their user privileges to ensure that only roles requiring access to firewall management have the ability to configure system firewalls [10].  Lastly, it is always important to practice good cyber security practices, this includes enabling multi factor authentication (MFA), and following safe password practices such as complexity and periodic resets [11].

Conclusion

SonicWall’s Improper Access Control Vulnerability highlights the importance of maintaining system and organizational security through application updates and patching.  It is vital that when patches are released for services used by an organization, that they are quickly applied.  Failure to follow these security patches from system vendors can lead to vulnerabilities being exploited by threat actors in attacks such as ransomware attacks.  CVE-2024-40766 demonstrates the importance for organizations to maintain network and system security through strong cyber security practices.

 

 

 

 

 

 

 

References

[1] SonicWall. (n.d.). SonicWall https://www.sonicwall.com/

[2] Arctic Wolf (n.d.). About Us. https://arcticwolf.com/company/overview

[3] Hostetler, S. (2024, September 6). Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts. https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

[4] SonicWall. (n.d.). About SSL VPN. https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-0-0-0-ssl_vpn/Content/ssl-vpn-about.htm#:~:text=SonicWall’s%20SSL%20VPN%20features,%2DPoint%20Protocol%20(PPP)

[5] SonicWall. (2024, August 22). Sonicos Improper Access Control Vulnerability. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

[6] Toulas, B. (2024, August 26). SonicWall warns of critical access control flaw in SonicOS. https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-access-control-flaw-in-sonicos/

[7] Toulas, B. (2024, October 27). Fog ransomware targets SonicWall VPNs to breach corporate networks. https://www.bleepingcomputer.com/news/security/fog-ransomware-targets-sonicwall-vpns-to-breach-corporate-networks/

[8] Wolff, A. (2021, August 20), SonicWall Celebrating Three Decades of Putting Customers First. https://blog.sonicwall.com/en-us/2021/08/sonicwall-celebrating-three-decades-of-putting-customers-first/#:~:text=Today%2C%20SonicWall%20serves%20more%20than,organizations%2C%20enterprises%20and%20government%20agencies

[9] FBI. (n.d.). Ransomware. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware

[10] Sharma, S. (2024, October 28) Patched SonicWall critical vulnerbiliyty still used in several ransomware attacks. https://www.csoonline.com/article/3592294/patched-sonicwall-critical-vulnerability-still-used-in-several-ransomware-attacks.html

[11] At-Bay Security Team. (2024, September 20). SonicWall Vulnerability CVE-2024-40766: What You Need to Know. https://www.at-bay.com/articles/sonicwall-cve-2024-40766/#:~:text=Threat%20actors%20are%20focusing%20on,and%20deploy%20malware%20or%20ransomware