SonicWall firewalls the common access point in spreading ransomware campaign | Cybersecurity Dive

Arctic Wolf Labs researchers said SonicWall firewalls were the initial access point for at least 30 ransomware attacks since August.

The potential for additional victim organizations is extensive. The latent risk extends to SonicWall customers who haven’t patched the critical vulnerability in SonicOS, the software powering the security vendor’s firewalls.

“The vulnerability described in the CVE impacts more than 300,000 appliances under support, so there are potentially thousands of organizations impacted,” Fitzgerald said.

About half of customers using newer SonicWall Gen 7 devices have upgraded their firmware, and around 30% of units running Gen 6.5 and older have patched the vulnerability with a software update, Fitzgerald said.

Threat groups linked to these attacks are targeting a broad swath of industries and organizations of various sizes, Kerri Shafer-Page, VP of digital forensics incident response at Arctic Wolf, said Thursday via email.

SonicWall added it isn’t aware of any patterns suggesting specific types of organizations or industries are being targeted.

Attackers encrypted and stole data as part of their attacks. In one case, up to 30 months of sensitive information from human resources and accounts payable departments was stolen, according to Arctic Wolf. During encryption, attackers focused on storage of virtual machines and their backups.

Time between initial access to ransomware or encryption ranged from 90 minutes to 10 hours, according to Arctic Wolf.

Akira ransomware was deployed in 3 in 4 attacks observed by Arctic Wolf, and Fog ransomware was deployed in the remainder.

SonicWall said it does not disclose details shared by customers or information about ransomware attacks against its customers. “SonicWall is not otherwise aware of operational disruptions, data leaks, extortion demands or payments linked to the attempted intrusion activity observed,” Fitzgerald said.

Arctic Wolf Labs said it hasn’t observed definitive evidence linking the intrusions to CVE-2024-40766 exploits, but initial access to victim environments involved the use of SonicWall secure sockets layer VPN accounts.

All SonicWall devices involved in these attacks were running firmware versions affected by the vulnerability, Arctic Wolf Labs researchers said.

Security researchers first warned about ransomware groups compromising SSL VPN accounts on SonicWall devices for initial access in ransomware attacks in early September.

Since disclosing the vulnerability in August, SonicWall said it initiated a call campaign and sent multiple security bulletins to partners and customers. The company also said it shared information with incident response firms, government agencies and law enforcement.