A leading security vendor has dismissed claims of a zero-day vulnerability in its products, stating that a surge in ransomware attacks against customers is due to poor password management.
As reported by Infosecurity earlier this week, researchers from multiple threat detection providers observed an increase in Akira ransomware intrusions against SonicWall customers in late July.
“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP [time-based one-time password] MFA being enabled, accounts were still compromised in some instances,” Arctic Wolf claimed.
However, in an updated statement today, SonicWall posited another cause of the successful attacks on its Gen 7 and newer firewalls with SSLVPN enabled.
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015,” it explained.
“We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. Resetting passwords was a critical step outlined in the original advisory.”
Read more on threats to SonicWall customers: Critical SonicWall SSLVPN Bug Exploited by Ransomware Actors
Updated Advice for Customers
The security vendor strongly urged all customers who imported configuration settings from Gen 6 to newer firewalls to update to SonicOS 7.3, which has built-in protection against brute-force password and multi-factor authentication (MFA) attacks.
“Without these additional protections, password and MFA brute-force attacks are more feasible,” it warned.
SonicWall also urged customers to reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
It added that previous advice still applies, that is:
- Enable Botnet Protection and Geo-IP Filtering
- Remove unused or inactive user accounts
- Enforce MFA and strong password policies
The security vendor also thanked the research community – including Arctic Wolf, Google Mandiant, Huntress and Field Effect – for their vigilance.
