therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.
Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.
SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.
The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.
SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.
The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.
At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.
“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.
The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.
When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”
Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”
Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.
A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.
“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.
He confirmed that the incidents Huntress examined also involved Akira ransomware.
'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.
“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.
“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.
Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.
techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.
Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”
LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
Perplexity is repeatedly modifying their user agent and changing IPs and ASNs to hide their crawling activity, in direct conflict with explicit no-crawl preferences expressed by websites.
