Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Analysts flag a surge in ransomware activity, as firewall maker looks to determine if a new – and unknown – vulnerability may be the culprit.
Cyber security firm SonicWall has warned users of its Gen 7 SonicWall firewalls to disable SSLVPN services where possible, as it investigates a sudden surge in cyber incidents.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” SonicWall said in an August 4 notice on its support website.
The company said it was aware of reports from Arctic Wolf, Google Mandiant, and Huntress regarding the activity.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” SonicWall said.
As part of its investigation, SonicWall is working with external partners, keeping customers updated, and has committed to a firmware update if the issue is, in fact, due to a heretofore unknown vulnerability.
For now, SonicWall is urging customers to disable SSLVPN services, limit SSLVPN connectivity to trusted IPs, and enable security services and multi-factor authentication.
Active exploitation underway
Security analysts at fellow cyber security firm Huntress have been blunt in their estimation of the threat.
“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress said in an August 4 blog post.
“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
As far as Huntress is concerned, this wave of incidents represents a “critical, ongoing threat”.
Huntress alone has tracked at least 20 separate attacks between July 25 and August 3, each following a similar attack chain, and all culminating with the deployment of ransomware.
Analysts at Arctic Wolf have gone even further, laying the blame for the malicious activity at the feet of the Akira ransomware operation. Arctic Wolf dates the activity back to July 15, and notes that it has observed similar SonicWall firewall activity since at least October 2024.
“In contrast with legitimate VPN logins, which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments,” Arctic Wolf said in a blog post.
“Given the high likelihood of a zero-day vulnerability, organisations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
