A recent wave of ransomware attacks targeting SonicWall firewall devices may be related to a zero-day vulnerability in the products, according to researchers.
Anomalous firewall activity that began on July 15 and involved VPN access through SonicWall SSL VPNs morphed into intrusions the following week, researchers at Arctic Wolf said.
“This appears to be affecting SonicOS devices from what we’ve seen so far,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Cybersecurity Dive. “Our investigation is still preliminary, so I’m not able to offer much more detail yet.”
Hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs, according to the researchers.
Similar activity occurred in 2024 when hackers targeted a SonicWall vulnerability tracked as CVE-2024-40766.
Arctic Wolf said it could not rule out brute-force attacks or credential stuffing, although it said it had seen several cases in which the hackers compromised fully patched SonicWall devices whose owners had rotated their credentials. The company has also seen hackers breach systems that used multifactor authentication.
A spokesperson for SonicWall was not immediately available for comment.
