SonicWall says recent attack wave involved previously disclosed flaw, not zero-day

SonicWall said late Wednesday that a wave of attacks targeting SonicWall 7 customers since July involved a previously disclosed improper access-control vulnerability and not a zero-day flaw.

The company said the hacks — which have involved ransomware — were associated with the vulnerability CVE-2024-40766, which can lead to firewall crashes. Affected customers were using legacy credentials when migrating from Gen 6 to Gen 7 firewalls, according to SonicWall officials. 

Researchers had strongly suspected the attacks might be related to a zero-day flaw, although Arctic Wolf researchers previously said the activity was similar to prior attacks using CVE-2024-40766. 

“We had evidence that exploitation or access to these appliances was across a couple of different firmware versions and a pretty wide variety of Gen 7 firewall appliances,” Michael Tigges, senior hunt response analyst at Huntress, told Cybersecurity Dive. “And typically when you see adversaries update this type of behavior, they’ve found something.”

The recent campaign of intrusions began in July, when hackers deployed Akira ransomware in a series of opportunistic attacks. 

SonicWall said there were fewer than 40 confirmed compromises, and the company released guidance on how to change credentials and upgrade to SonicOS version 7.3.0. 

Many of the confirmed attacks took place in environments where customers used the same local passwords during the migration to the updated firewall and failed to change those credentials. SonicWall reiterated previous warnings that it was critical for users to reset their passwords.

Huntress researchers said late Wednesday that, out of an abundance of caution, users should rotate both local credentials and LDAP account credentials used for Active Directory integration. As of Wednesday, Huntress said, the attacks had compromised 28 of its customers. 

Other security firms, including Arctic Wolf, said earlier this week that a growing number of customers were experiencing intrusions, suggesting that SonicWall’s tally of 40 may soon grow.