Urgent Security Alert: Action Required for New SonicWall SSL-VPN Threat Activity

Introduction: What's Happening?

A significant security risk has been identified and is being actively exploited in certain SonicWall SSL VPN products. The issue was recently highlighted by cybersecurity news outlet The Hacker News, and SonicWall previously released an official security advisory confirming the threat.

Due to the critical nature of this risk and evidence of active exploitation, immediate action is required.

This post breaks down what you need to know and the steps you must take to protect your network.

The Vulnerability Explained

According to reports, the threat actor is exploiting the SSL-VPN portal of SonicWall's Gen 7 firewalls. Threat actors are leveraging previously compromised credentials to breach networks. There is no confirmed account of an active undiscovered/undisclosed vulnerability or ‘zero day’.

Key Details:

• Impact: Previous credential theft is being used for initial access, and potentially lateral movement on a protected network.
• Affected Products: All SonicWall firewalls that were affected by CVE-2024-40766 leveraging local user authentication for remote access where credentials have not been rotated post upgrade to a patched version.
• Threat Level: Critical. SonicWall has confirmed that they are aware of threat actors actively leveraging these previously compromised credentials for initial access to networks.

SonicWall's Official Guidance and Required Actions

SonicWall has published an official notice outlining the vulnerability and the necessary steps for mitigation. Based on their advisory (Source), the following actions are mandatory:

1. Ensure you are on Patched Firmware

This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035

• If you are a Logically Sentry Managed Firewall customer on an active managed service agreement this will have been completed previously.
• If you are not a Logically Sentry Managed Firewall customer log in to your MySonicWall account to download and apply the latest secure firmware version for your specific appliance.

2. Enable Multi-Factor Authentication (MFA)

Even after patching, SonicWall strongly recommends enabling MFA or consider disabling your SSL VPN in favor of another method for remote access such as CSE or the SMA 1000 product line. MFA provides a vital additional layer of security that can prevent unauthorized access even if credentials are compromised.

3. Restrict Access as a Temporary Mitigation

If you are unable to apply the patch immediately, you should restrict access to the SSL-VPN portal to only trusted sources. You can do this by creating a whitelist of specific IP addresses that are permitted to connect. While this reduces the attack surface, it is not a substitute for patching and should only be considered a temporary measure.

What is Logically doing?

For our Managed Security Clients:

Our security team is already acting. We are actively auditing configurations, resetting credentials, and enforcing additional security best practices on SSLVPN. Logically managed firewall customers will have received all necessary patches for the previously disclosed vulnerability. We will notify you directly as this work is completed or if action is needed at the client’s end. So, please be on the lookout for tickets from Logically’s Cybersecurity Team.

For All Other Clients and Readers:

We urge you to take the following steps without delay:

1. Identify: Determine if your organization uses a SonicWall Gen 7 firewall for SSL VPN access.
2. Audit: Check your current firmware version to see if you are running a vulnerable release.
3. Patch: Follow SonicWall's instructions to upgrade your firmware to a patched version immediately.
4. Secure: When possible, disable SSL-VPN. If you haven't already, enable MFA on your SSL-VPN portal and lock down VPN to trusted sources.

The security of your network is paramount. Do not delay in addressing this critical threat.

Need Help?

If you are unsure how to perform these updates or need assistance in securing your SonicWall device, please contact the Logically team. We are here to help you navigate this issue and ensure your organization remains protected.

Sources:

• The Hacker News: SonicWall Warns of Actively Exploited SSL-VPN Flaw in Firewalls 
• SonicWall Security Advisory: Urgent Security Notice: Recent Threat Activity Targeting Gen 7 and Newer SonicWall Firewalls