Alert - SSL VPN vulnerability impacting Gen 7 SonicWall Firewalls (CVE-2024-40766) – Update 1

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

Open-source reporting has indicated that a possible Zero-Day vulnerability in SonicWall SSL VPN is actively being exploited to bypass MFA and deploy ransomware (e.g., Akira Ransomware)^{Footnote 1Footnote 2}.

Update 1

The vendor has reported that the recent SSL VPN activity is not connected to a zero-day vulnerability but instead correlated to CVE-2024-40766^{Footnote 3}. This vulnerability relates to migrations from Gen 6 to Gen 7 firewalls^{Footnote 3}.

Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs)

For more details on OSINT conveyed Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs), please refer to reports referenced below^{Footnote 1Footnote 2}.

Suggested actions

• Update firmware to version 7.3.0
• Reset all local user account passwords for any accounts with SSL VPN access, especially if they were carried over during migration from Gen 6 to Gen 7
• Continue applying the previously recommended best practices:
  • Enable Botnet Protection and Geo-IP Filtering
  • Remove unused or inactive user accounts
  • Enforce MFA and strong password policies

The Cyber Centre recommends that organizations:

• Assess the installations of SonicWall Firewalls
• Apply updates to SonicWall Firewalls without delay
• Monitor the vendor security KB for updated guidance^{Footnote 3}

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions^{Footnote 4} with an emphasis on the following strategies:

• Consolidate, monitor, and defend internet gateways
• Patch operating systems and applications
• Isolate web-facing applications
• Implement application allow lists

Review the Cyber Centre's Playbook on Ransomware (ITSM.00.099) and apply recommended security controls^{Footnote 5}.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.