In early September, hackers stole the firewall configuration backup files stored using the MySonicWall service.

The post All SonicWall Cloud Backup Users Had Firewall Configurations Stolen appeared first on SecurityWeek.

A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.

An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.

SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post. 

“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.

The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack. 

Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added. 

SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years. 

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.

While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.

The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.

“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said. 

“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”

SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.

The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.

In one attack, the hackers leveraged the Datto RMM utility on a domain controller and various other legitimate tools to evade detection.

The post Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues appeared first on SecurityWeek.

The software update includes additional file checks and helps users remove the known rootkit deployed in a recent campaign.

The post SonicWall Updates SMA 100 Appliances to Remove Overstep Malware appeared first on SecurityWeek.

The company sent a new preferences file to less than 5% of customers, urging them to import it into firewalls and reset their passwords.

The post SonicWall Prompts Password Resets After Hackers Obtain Firewall Configurations appeared first on SecurityWeek.

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.

The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”

While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.

This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices. 

“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop. 

“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added. 

SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said. 

“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added. 

SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm. 

Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”

SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.

Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said. 

“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.

Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks. 

Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.

The post Attack on SonicWall’s cloud portal exposes customers’ firewall configurations appeared first on CyberScoop.

Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 

A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 

Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.

The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organisations through SonicWall SSL VPNs,” the agency said.

Rapid7’s incident response team told CyberScoop it has spotted a steady increase in attacks since July, sometimes multiple incidents per week among its customers. The narrow scope of Rapid7’s visibility suggests impact could be much wider. 

SonicWall, which initially disclosed the vulnerability in August 2024, did not respond to a request for comment. Previously patched but improperly configured devices are showing up in many compromised environments. 

“In the vast majority of cases our team is working, the SonicWall firewalls have been upgraded to a version that patches CVE-2024-40766,” Rapid7’s incident response team said in an email. “The remediation step of changing local passwords was not completed, and attackers were therefore able to gain unauthorized access to the devices.”

SonicWall last month said many of the attacks in late July involved customers that migrated from Gen 6 to Gen 7 firewalls without resetting passwords. Customers have since been impacted by multiple configuration errors, according to Rapid7.

Researchers have identified attackers abusing default lightweight directory access protocol (LDAP) group configurations, which can overprovision access to SonicWall’s SSL VPN services. Attackers have also accessed the virtual office portal on SonicWall devices, likely in a bid to find users with compromised credentials or accounts lacking multifactor authentication, according to Rapid7.

The root cause of attacks targeting SonicWall devices has shifted since researchers suggested a zero-day vulnerability might have been involved in the first series of attacks in July. SonicWall ruled that out in early August, as more attacks were discovered, and pinned the attacks on CVE-2024-40766. 

SonicWall customers are no stranger to actively exploited vulnerabilities. The vendor has appeared 14 times on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA.

Rapid7 attributes all of the recent attacks involving SonicWall firewalls to Akira ransomware. 

Akira affiliates typically steal data and encrypt systems before they attempt to extort victims. Akira ransomware impacted more than 250 organizations from March 2023 to January 2024, claiming about $42 million in extortion payments, CISA said in an advisory last year.

The post SonicWall firewalls targeted by fresh Akira ransomware surge appeared first on CyberScoop.

The Akira ransomware group is likely exploiting a combination of three attack vectors to gain unauthorized access to vulnerable appliances.

The post Akira Ransomware Attacks Fuel Uptick in Exploitation of SonicWall Flaw appeared first on SecurityWeek.

SonicWall insists a spree of ransomware attacks hitting its Gen 7 firewalls is not linked to a zero-day vulnerability, but rather a critical defect the company previously disclosed and patched last summer in its network security operating system. 

The vendor disputed initial assessments from outside researchers suggesting the speed and scale of the attacks pointed to a potential zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector. “SonicWall has thoroughly investigated the matter, and based on current findings, we have high confidence that this activity is related to CVE-2024-40766,” SonicWall said in a statement, adding the defect is “not a new zero-day or unknown vulnerability.”

Conflicting theories and broad uncertainty surrounding the root cause of the latest series of attacks highlight the challenges security experts confront as they scramble to identify and remediate defects under attack in the wild. Arctic Wolf researchers previously noted the activity was similar to prior attacks involving CVE-2024-40766. 

SonicWall said fewer than 40 organizations have been impacted by the attacks, which started in mid-July and increased in pace over the next couple weeks. Two other cybersecurity companies, Huntress and GuidePoint Research, also capped their estimated victim count at under 40.

Many of the attacks involve customers that recently migrated from Gen 6 to Gen 7 firewalls without resetting passwords, SonicWall said in its updated blog post. The company did not say how many impacted customers were running firewalls without the previously issued patch for CVE-2024-40766.

SonicWall disclosed the improper access control vulnerability in SonicOS, which has a CVSS score of 9.8, Aug. 22, 2024. The defect was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog Sept. 9, 2024, and the agency confirmed it has been used in ransomware campaigns. 

SonicWall did not respond to a request for comment.

“It’s unclear if this CVE is the actual underlying issue in all of the cases we’ve seen,” Jamie Levy, director of adversary tactics at Huntress, said in an email. “We continue to see some exploitation of SonicWall devices on our end, but it’s unclear if they are patched or have outdated configurations.”

Huntress confirmed some impacted customers migrated to Gen 7 with older configurations, but one impacted organization told Huntress their SonicWall devices — which were new Gen 7 installs, not migrations from the previous generation — were compromised. “It’s possible that there are other vulnerabilities or misconfigurations at play,” Levy said. 

Most of the customers impacted by this series of attacks had already applied the patch for CVE-2024-40766, she added. “The vast majority of these attacks have tried to detonate ransomware, mostly Akira.”

Researchers at GuidePoint Security and Arctic Wolf also attributed the recent attacks to Akira ransomware affiliates. “We are not aware of any other groups involved in this campaign, but cannot altogether rule it out,” Jason Baker, managing security consultant on GuidePoint’s research and intelligence team, said in an email.

GuidePoint hasn’t analyzed the technical root cause of the attacks, but has “no reason to believe that SonicWall’s response is disingenuous or incomplete at this time,” Baker said.

Akira affiliates typically steal data and encrypt systems before they attempt to extort victims for a decryptor and to prevent the release of stolen data. Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year.

SonicWall’s updated guidance advises customers to change credentials and upgrade to SonicOS 7.3.0, which includes additional multifactor authentication controls. The company pulled previous guidance encouraging customers to disable SSLVPN on Gen 7 firewalls. 

“If any local administrator accounts have been compromised through CVE-2024-40766, attackers may exploit administrative features such as packet capture, debugging, logging, configuration backup, or MFA control to obtain additional credentials, monitor traffic or weaken the overall security posture,” SonicWall said.

SonicWall customers have been hit by persistent attacks involving defects in the company’s firewalls and software. The vendor has appeared 14 times on CISA’s known exploited vulnerabilities catalog since late 2021.

The post SonicWall pins firewall attack spree on year-old vulnerability appeared first on CyberScoop.

SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.

Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.

“A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”

SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.

Researchers from multiple security companies confirmed attackers have intruded and compromised customer networks, even in environments with multi-factor authentication enabled.

Attackers are moving swiftly, pivoting directly to domain controllers within hours and deploying ransomware after short dwell times, Huntress said in a threat advisory Monday. The company said it has observed about 20 attacks, occurring in almost daily bursts, starting July 25.

Huntress said post-compromise techniques span a mix of automated scripts and hands-on keyboard activities prior to Akira ransomware deployment. This includes the abuse of privileged accounts for administrative access, backdoor implants, lateral movements to steal credentials from multiple databases and a methodical disablement of security tools and firewalls. 

Multiple attackers have gained access to internal networks via SonicWall devices. While there are some similarities across the various attacks, Huntress also noted some differences, suggesting multiple threat groups might be involved or attackers are adapting to situations upon gaining access.  

SonicWall, a repeat offender

The active mass exploitation targeting SonicWall firewalls underscores the persistent risk the vendor’s customers have confronted for years. SonicWall has 14 entries on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021.

The more recent and ongoing attacks are targeting a next-generation firewall, unlike last month’s series of financially motivated attacks targeting organizations using fully patched, but outdated SonicWall Secure Mobile Access 100 series appliances. Half of the exploited vulnerabilities on CISA’s catalog affect SonicWall SMA 100 appliances, including three of the four defects actively exploited this year. 

SonicWall’s recommendation to disable SSLVPN on Gen 7 firewalls, which allows users to establish encrypted connections to the corporate network, serves as an acknowledgment that the critical service can’t be trusted to serve its primary purpose. Many organizations require employees to access their corporate network via VPN.

SonicWall’s SSLVPN was the root of the problem in at least three actively exploited vulnerabilities on CISA’s known exploited vulnerabilities catalog, including CVE-2024-53704, CVE-2023-44221 and CVE-2021-20016. 

Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year. Officials said Akira operators steal data and encrypt systems before threatening to publish data. Some Akira affiliates have also called victimized companies to apply further pressure, according to the FBI.

An investigation into the root cause of the attacks and origins of those responsible is ongoing.

The post SonicWall firewalls hit by active mass exploitation of suspected zero-day appeared first on CyberScoop.

A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday.

The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.

The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.

The vendor appears 14 times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Half of those exploited vulnerabilities affect SonicWall SMA 100 appliances, including three of the four defects added to CISA’s catalog this year. 

“In response to the evolving threat landscape — and in alignment with our commitment to transparency and customer protection — SonicWall plans to accelerate the end-of-support date for the SMA 100,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.

“SonicWall has been actively guiding customers toward more modern, secure solutions such as our Cloud Secure Edge service and the SMA 1000 series,” he added

“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. These updates may become more frequent as we prioritize risk mitigation and the ongoing protection of our user base,” Fitzgerald said.

Google said it lacks evidence for the initial infection vector UNC6148 used to access SonicWall devices because the threat group’s malware selectively removes log entries. Yet, researchers said several vulnerabilities could have been exploited by UNC6148, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 or CVE-2025-32819.

“UNC6148 may have used one of the mentioned CVEs to obtain administrator credentials prior to the targeted appliance being updated to the latest firmware version (10.2.1.15-81sv), and then used them to later establish a VPN session before possibly exploiting another unknown vulnerability after the appliance was fully updated,” Zander Work, senior security engineer at Google Threat Intelligence Group, said in an email.

“However, there was insufficient forensic data to confirm this for incidents that we have investigated to date,” Work added.

Insights into post-compromise activities are also limited. “We believe that UNC6148 may conduct data theft for extortion or possibly ransomware deployment as the end-stage goal of their intrusions, but haven’t been able to confirm this due to limited investigative insights at this time,” Work said.

One of UNC6148’s targeted victims appeared on the World Leaks data leak site in June, and the threat group’s activity overlaps with SonicWall exploitation in late 2023 and early 2024, including attacks involving the deployment of Abyss-branded ransomware, according to Google.

Exploited SonicWall defects are popular vectors for ransomware, with the majority of the vendor’s CVEs on CISA’s catalog — 9 out of 14 — known to be used in ransomware campaigns, according to the federal agency.

Mandiant learned more about UNC6148’s technical operations during an investigation into an attack in June. In that attack, UNC6148 established a SSL VPN session on a SMA 100 series appliance using local administrator credentials before it deployed a reverse shell through unknown means.

The reverse shell allowed the threat group to perform reconnaissance, manipulate files, and export and import settings to the SMA 100 appliance, before it deployed the OVERSTEP backdoor, which Google shared technical details about in its report.

The investigation helped Google “learn more about how [UNC6148] may leverage previously compromised SonicWall appliances for further intrusion operations, even after organizations have applied security updates,” Work said.

Google and SonicWall declined to say how many SonicWall SMA 100 devices have been abused by UNC6148, nor how many organizations have been impacted by this ongoing campaign.

The post SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices appeared first on CyberScoop.