SonicWall has warned customers to disable SSL VPN services due to ransomware gangs actively exploiting an unknown security vulnerability in SonicWall Generation 7 firewalls to breach networks over the past few weeks.
This is being reported as a critical and ongoing threat.
Attack chains commence with the breach of the SonicWall appliance, followed by attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft.
The incidents also involve the bad actors methodically disabling Microsoft Defender Antivirus and deleting volume shadow copies prior to deploying Akira ransomware.
There is evidence of the use of tools for reconnaissance and persistence, such as AnyDesk, ScreenConnect, or SSH.
Activity appears to be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and the suspected flaw exists in firmware versions 7.2.0-7015 and earlier.
SonicWall has indicated that it will publish patches and recommendations as soon as possible once clarity has been established. As SonicWall continues to investigate this campaign, organisations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice:
If you have a vulnerable device that you believe may be compromised, contact the Integrity360 Incident Response team immediately.
More information on the zero-day vulnerability, released by Huntress, can be found here:
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.