Summary:
In August, 2024 SonicWall addressed a critical improper access control flaw (CVE-2024-40766) in its SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. Despite patches being released, over 48,000 SonicWall devices remain vulnerable to CVE-2024-40766, giving ample opportunity for threat actors to exploit the flaw. Notably, ransomware groups like Akira and Fog have leveraged CVE-2024-40766 to actively target vulnerable SonicWall appliances for initial access to victim environments and deploy their encryptors.

Security Officer Comments:
Between September and December 2024, security researcher Yukata Sejiyama discovered that 100 companies had been compromised by ransomware groups Akira and Fog through CVE-2024-40766. Akira was responsible for approximately 75% of these attacks, while Fog accounted for the remaining 25%. The attacks were not sector-specific; instead, they were opportunistic, targeting both small and large organizations across various industries. Notably, the time between initial access and file encryption ranged from just 1.5 hours to 10 hours, leaving organizations with little to no opportunity to detect the intrusion and secure their defenses in time.

Suggested Corrections:
CVE-2024-40766 affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. In addition to applying the updates released by SonicWall, the vendor recommends restricting firewall management and SSLVPN to trusted sources or disabling firewall WAN management and SSLVPN from Internet access.

Link(s):
https://cybersecuritynews.com/48000-vulnerable-sonicwall-devices/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

https://security.macnica.co.jp/en/b...nsa-cve-2024-40766-where-patching-stands.html