SonicWall Investigating If Zero-Day Flaw Is Behind Recent Attacks

The security vendor said in a statement Monday that recent attacks have targeted Gen 7 firewalls with SSLVPN enabled.

SonicWall said Monday it’s investigating whether a zero-day vulnerability has been exploited in cyberattacks targeting Gen 7 firewalls with SSLVPN enabled.

The security vendor released a statement to CRN Monday following reports by third-party security researchers about a wave of recent incidents exploiting SonicWall devices, as well as attacks detected by the company’s internal teams.

As part of the investigation, SonicWall is working to determine if the attacks have involved exploitation of a known vulnerability or of a zero-day flaw, the company said in the statement.

SonicWall also posted an advisory Monday pointing to a “notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled” over the past 72 hours.

Security researchers at Arctic Wolf and Huntress have said in recent days that they have observed active exploitation of a likely zero-day vulnerability affecting SonicWall devices.

The devices have been exploited in attacks that have involved deployment of ransomware, the researchers have said.

In its statement Monday, SonicWall said that it is “actively investigating” the recent increase in cyberattacks involving “a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled.”

“These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress,” SonicWall said in the statement. “We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.”

In mid-July, the Google Threat Intelligence Group disclosed that a cybercriminal group had been observed exploiting SonicWall Secure Mobile Access (SMA) 100 appliances, likely using known vulnerabilities.

However, in the case of the recent attacks observed by Arctic Wolf’s researchers, “available evidence points to the existence of a zero-day vulnerability,” wrote Julian Tuin, a senior threat intelligence researcher at Arctic Wolf Labs, in a post Friday.

Echoing the findings, Huntress researchers wrote in a post Monday that “a likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware.” The incidents are “originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” the Huntress researchers wrote.

As of this writing, uncertainty remains about how many vulnerabilities have been exploited in the SonicWall attacks, in addition to the questions around whether a known or zero-day vulnerability is involved.

In a statement provided to CRN Monday, Arctic Wolf wrote that the “activity we’re observing so far has been limited to SonicOS devices such as the TZ, NSa product lines, not SMA. As far as we are aware, these vulnerabilities are separate.”

SonicWall said in its statement Monday that “if a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.”

The vendor also said it’s urging partners and customers using Gen 7 firewalls to disable SSLVPN services “where practical,” or to at least limit SSLVPN connectivity to trusted IPs if disabling the services is not possible.