SonicWall is currently examining a series of cyber incidents involving ransomware, believed to be exploiting a zero-day vulnerability in its firewall devices. These attacks reportedly bypass multi-factor authentication (MFA) and deploy ransomware, suggesting the exploitation of an unknown flaw.
On Monday, SonicWall confirmed that it is investigating this surge in ransomware activity, particularly affecting Gen 7 firewalls running various firmware versions with SSL VPN enabled.
According to a spokesperson speaking with The Register, both internal teams and third-party threat researchers, including Arctic Wolf, Google Mandiant, and Huntress, have flagged the incidents. The company is collaborating with these groups to verify whether this activity is linked to a known vulnerability or if it represents a new zero-day exploit.
Although a new bug has not yet been officially confirmed, SonicWall has pledged to release firmware updates and security guidance as soon as any flaw is identified.
In the meantime, SonicWall recommends that users of Gen 7 firewalls disable SSL VPN services where feasible and follow the steps below to reduce exposure:
- Restrict SSL VPN access to known, trusted IP addresses.
- Activate security services like botnet protection and Geo-IP filtering.
- Delete inactive or unused firewall user accounts.
- Encourage strong password practices.
- Apply MFA for all remote access
However, SonicWall warned that enabling MFA alone might not be enough to stop these ongoing ransomware attacks.
Given that SonicWall VPNs have previously been targeted by both state-sponsored hackers and criminal ransomware groups, immediate implementation of these mitigations is highly advised. Also, users should remain alert for upcoming vulnerability announcements and patches.
