SonicWall probes potential zero-day flaw in SSL VPN

Probe follows Akira ransomware surge

SonicWall has confirmed it is investigating a potential zero-day vulnerability in its Gen 7 firewalls after more than 20 targeted cyberattacks were linked to a recent surge in Akira ransomware activity.

The network security company said it had seen a “notable increase” in reports of incidents involving Gen 7 SonicWall firewalls with SSL VPN enabled over the previous 72 hours, both from internal and external sources.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the firm said in a statement.

Although an investigation is still ongoing, organisations using affected devices are being urged to take immediate steps to reduce their risk.

These include:

• Disabling SSL VPN services where practical
• Restricting SSL VPN access to trusted IP addresses
• Enabling features such as Botnet Protection and Geo-IP Filtering
• Enforcing multi-factor authentication
• Deleting inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
• Encouraging users to update passwords regularly

The warning follows research from Arctic Wolf, which reported a rise in Akira ransomware attacks leveraging SonicWall SSL VPN devices for initial access since late July.

Compromised domain controllers

Cybersecurity firm Huntress also published its own findings this week, revealing that threat actors are gaining access through SonicWall devices and moving rapidly to compromise domain controllers. In some cases, attackers achieved this within hours of the initial breach.

Once inside the network, attackers followed a familiar pattern of post-exploitation activity, including network enumeration, evading detection, moving laterally and stealing credentials.

The attackers were also observed disabling Microsoft Defender Antivirus and deleting volume shadow copies before attempting to deploy the Akira ransomware payload.

Huntress said it had tracked around 20 related incidents starting on 25 July, with varying tactics used across different breaches. This included the use of tools such as AnyDesk, ScreenConnect and SSH for remote access and persistence.

SonicWall has yet to confirm whether the attacks are due to a new exploit, but the firm continues to investigate.