Sonicwall Gen 7 firewalls are being targeted by zero-day attacks, with security firms monitoring Akira ransomware deployments since July 15th. SSLVPN enabled is suspected to be the initial attack vector. About 20 organizations have been impacted and the pace of attacks is rising. Threat researchers and SonicWall are scrambling to determine the root cause.
In several SonicWall-related instances, according to a recent analysis by GuidePoint Security, threat actors installed two genuine Windows drivers—rwdrv.sys and hlpdrv.sys—as part of Bring Your Own Vulnerable Driver (BYOVD) attacks with the intention of avoiding or turning off protection mechanisms.
Huntress team attests that they have also found these drivers in a number other Akira ransomware-related events. On July 25, they discovered an intrusion in one of these cases, where the activity came from a SonicWall device. In order to restrict visibility, the threat actor attempted to remove Volume Shadow Copies using WMI (powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”) and cleared the event logs.
SonicWall stated that it has high confidence that the new threat activity is not related to a zero-day weakness but rather correlates with behavior related to CVE-2024-40766 in its most recent advisory update, which was released on August 6 at 5:30 p.m. ET. First discovered in August 2024, this incorrect access control hole in SSL VPN and SonicOS management access can result in “unauthorized resource access and in specific conditions, [cause] the firewall to crash.” Many of the occurrences, according to SonicWall, seem to be related to firewall migrations from sixth-generation to seventh-generation, where local user passwords were left in place throughout the migrations and were not changed afterwards.
As a precaution, Huntress team advises affected companies to change the passwords for both local user accounts and LDAP accounts used for Active Directory integration. As we continue to look into this threat behavior, we advise organizations to remain alert.
