Making a stronger case for a zero-day abuse, Arctic Wolf mentioned, “In some situations, totally patched SonicWall units have been affected following credential rotation.” Some accounts have been additionally compromised regardless of TOTP MFA being enabled, it added.
Each instances, Arctic Wolf confirmed, a brief interval was noticed between preliminary SSLVPN account entry and ransomware encryption.
SonicWall didn’t instantly reply to CSO’s request for remark, however had addressed the ‘zero-day’ reviews within the disclosure, stating it’s “dedicated to releasing up to date firmware and directions promptly if a brand new vulnerability is confirmed”. Earlier this 12 months, SonicWall knowledgeable clients of a high-severity bug (tracked as CVE-2024-53704) affecting SSLVPN companies that allowed authentication bypass by distant attackers. Other than disabling SSLVPN companies the place sensible, customers are suggested to restrict SSLVPN connectivity to trusted supply IPs, allow Botnet safety, Geo-IP filtering, and different safety companies, implement MFA, and take away unused accounts.
