Executive Summary

    Update August 7th 12:50 AM UTC - SonicWall has issued an update indicating they are "highly confident" that the recent surge in SSL-VPN related threat activity is related to exploitation of an already disclosed critical vulnerability (CVE-2024-40766), rather than a new zero-day. This vulnerability, already in CISA's known exploited vulnerability catalog, has been used in past attacks by groups including Akira and Fog ransomware operators.

    To mitigate risk, SonicWall strongly recommends upgrading to SonicOS 7.3 and states the build introduces enhanced protections against brute-force and authentication bypass attempts. In addition, customers should reset local user credentials, and confirm that MFA is properly enforced. Information and guidance within this advisory have been updated to reflect these recent findings from the vendor.

    Update August 6th 8:45 PM UTC - SonicWall has updated their advisory title to state "Gen 7 and newer" SonicWall Firewalls were being targeted with recent threat activity. The subtle change in title indicates that a broader product line than the Gen 7 devices may be implicated in recent attacks. BSL will continue to monitor the situation as it evolves.

    On August 4th, SonicWall support published an advisory concerning an increase in threat activity targeting their Gen 7 Firewalls, specifically with the SSLVPN component enabled. At the time of this writing, no specific vulnerability or CVE is assigned; however, SonicWall has indicated they are running an ongoing investigation with external security researchers to understand what might be causing the uptick in incidents impacting Gen7 SonicWall firewall appliances.

    • Organizations with deployed instances of the SonicWall Gen 7 Firewall should closely review appliance logs going back through July 2025 and begin monitoring for suspicious user, network, file, and process activity on these appliances.

    • Additionally, SonicWall “strongly advises” any partners or customers using Gen 7 SonicWall firewalls to disable SSLVPN services where practical and limit SSLVPN connectivity to trusted IP sources while their investigation continues.

    This is a developing situation, and Beazley Security will update this advisory with additional details as they become available.

    Affected Systems or Products

    The suspected threat activity has been reported against SonicWall Gen 7 Firewalls.

    Products

    Affected

    Unaffected

    Gen 7 SonicWall Firewall and Newer

    Prior to 7.3.0

    7.3.0 and later

    * SonicWall has indicated this is an ongoing investigation, and the above table may be subject to update as new findings are disclosed.

    Mitigations / Workarounds

    SonicWall has released guidance to upgrade to SonicOS 7.3 and implement its enhanced security features which include protections against brute-force attacks, introduces account lockout periods, and enhanced password complexity policies. In the event firewalls cannot be updated, the following mitigations are recommended:

    • If SonicWall VPN services cannot be turned off, limit incoming connections to trusted source networks.

    • Enable vendor-supplied security features:

      • Activate SonicWall services such as Botnet Protection and Geo-IP Filtering.

      • Enforce Multi-Factor Authentication (MFA)

    • Increase logging and monitoring. For the duration of this threat actor campaign, increased monitoring of accounts and processes on the firewall can prevent threat actor pivoting into an organization’s internal network.

    • Implement best practices:

      • Remove unused accounts.

      • Encourage regular password updates across all user accounts.

    Patches

    SonicWall customers should upgrade to SonicOS 7.3 or later, which includes enhanced protections against brute-force attacks and MFA bypass techniques. To apply the patch:

    • Log in to the MySonicWall portal.

    • Download the latest SonicOS 7.3 firmware applicable to your device model and follow SonicWall's firmware upgrade instructions.

    Note: In addition to patching, SonicWall urges customers to reset local SSLVPN user credentials (especially if configurations were imported from Gen 6 devices) and verify that MFA is enabled for all remote access accounts.

    After upgrading, Beazley Security strongly recommends organizations review and enable security features added by SonicOS in 7.3. To enable enhanced security features log in to the firewall’s administrative interface and navigate to

    Device > Settings > Administration > Login/Multiple Administrators

    to adjust enforcement policies. These controls help reduce the risk of successful brute-force attacks and credential abuse and should be enforced with MFA for all users.

    Indicators of Compromise

    Behaviors observed suggest that threat actors are leveraging the SSLVPN service as an entry point to perform lateral movement and perform further malicious operations, such as adding accounts, exfiltrating data, and deploying ransomware.

    Instead of user traffic originating from home broadband networks, threat actors have also leveraged virtual private servers (VPS) when SonicWall VPN authentication compromises were observed in recent attacks:

    • Unusual SSLVPN login patterns, such as repeated or successful logins from unfamiliar or unexpected IP addresses, including where MFA is enabled

    • Unexpected lateral movement from the firewall to internal systems, including attempts to authenticate to internal domain controllers

    • Account takeover and manipulation:

      • Use of ‘net user’ and ‘net group’ commands to create or escalate privileges

      • Creation of users like backupSQL, added to privileged groups

      • Abuse of privileged accounts associated with the SonicWall device, in some cases LDAPAdmin specifically

    Post exploitation IoCs observed:

    Type

    Value

    Description

    File Path

    C:\programData\w.exe

    Akira Locker

    File Path

    %userprofile%\Advanced Port Scanner 2\ advanced_port_scanner.exe

    Port scanning tool

    Sha1

    763499b37aacd317e7d2f512872f9ed719aacae1

    Hash for above port scanning tool

    File Path

    C:\[redacted]\Advanced_Port_Scanner_2.5.3869.exe C:\ProgramData\port.exe

    Port Scanning tool locations

    Sha1

    3477a173e2c1005a81d042802ab0f22cc12a4d55

    Hash for above port scanning tool

    File Path

    C:\[redacted]\Advanced_IP_Scanner_2.5.4594.1.exe

    Port scanning tool

    Sha1

    86233a285363c2a6863bf642deab7e20f062b8eb

    Hash for above port scanning tool

    File Path

    C:\ProgramData\w32.exe

    Akira 32-bit Locker

    Sha1

    1DBB4075E52A408BB55D2AEA5443EA0CF142D5FD

    Hash for above

    File Path

    C:\ProgramData\ssh\cloudflared.exe

    C2

    Sha1

    5a84b17e58a4d6b57430d2459d82a66e54c8080b

    Hash for above

    File Path

    C:\ProgramData\shares.txt

    Recon list of admin shares

    File Path

    C:\ProgramData\hosts.txt

    Recon list of targeted hosts

    LoLBin

    C:\program files\OpenSSH\sshd.exe

    Exfil

    Dst-IP

    46.21.150[.]182:443

    Exfil destination

    Technical Details

    SonicWall has observed a rise in threat activity targeting Gen 7 and newer firewall appliances with SSLVPN enabled, particularly in configurations where devices were migrated from Gen 6 platforms and local user credentials were carried over without being reset. As of the latest update, SonicWall states they are confident that recent threat activity is not due to a new zero-day vulnerability, but correlates strongly with exploitation of CVE-2024-40766 which is a previously disclosed improper access control vulnerability.

    SonicWall’s statements suggest that attackers may be exploiting the ability to perform unrestricted authentication attempts against the SSLVPN service on older versions of SonicOS, enabling brute-force attacks that otherwise made less effective by modern login throttling and lockout protections. This significantly increases the likelihood that valid credentials, particularly weak or reused passwords, can be successfully compromised. Threat actors recently exploiting these weaknesses have demonstrated a fast pivot to critical assets to establish persistence and deploy ransomware.

    SonicOS 7.3 introduces additional safeguards against brute-force attacks and authentication bypass attempts. These security hardening features reduce the likelihood of successful credential stuffing or automated login attempts and are strongly recommended for all customers. Features include:

    • Login attempt lockout thresholds

    • Password complexity enhancements

    • Captive Portal and enforcement enhancements

    Organizations using affected SonicWall SSLVPN services should prioritize upgrading to SonicOS 7.3 and enforce the enhanced authentication controls. The combination of enhanced controls, including login attempt lockouts and enforcement of modern password complexity policy provides critical protection against the tactics used by recent threat actors targeting these devices.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    Sources