Summary: ACTION MAY BE REQUIRED for utilities using Gen 7 SonicWall firewalls with SSL VPN enabled. On Monday, SonicWall published a blog post confirming an active campaign targeting an unknown vulnerability in SonicWall Gen 7 firewalls. The blog post came after warnings from Arctic Wolf, Google, and Huntress, who have all indicated that there has been an increase in cyber incidents involving the Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.

Analyst Note: Researchers have noted that even if multifactor authentication is enabled, attackers have been able to compromise accounts on these devices, and in some cases the SonicWall devices have been fully patched, giving credence to the likelihood that a zero-day vulnerability in these devices is being exploited. WaterISAC urges members who use SonicWall Gen 7 firewalls in their environments to review the recommended mitigation steps outlined by SonicWall and to disable SSL VPN services where practical. SonicWall notes that even if disabling SSL VPN is not viable, all the following steps should still be followed.

Until further notice, SonicWall strongly advises all partners and customers using Gen 7 SonicWall firewalls to take the following actions:

1. Disable SSLVPN Services Where Practical
2. Limit SSLVPN connectivity to trusted source IPs
3. Enable Security Services
   • Activate services such as Botnet Protection and Geo-IP Filtering
   • These help detect and block known threat actors targeting SSLVPN endpoints
4. Enforce Multi-Factor Authentication (MFA)
   • Enable MFA for all remote access to reduce the risk of credential abuse
5. Remove Unused Accounts
   • Delete any inactive or unused local user accounts on the firewall
   • Pay special attention to those with SSLVPN access
6. Practice Good Password Hygiene
   • Encourage regular password updates across all user accounts.

Original Source: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

Additional Reading:

• SonicWall urges customers to take VPN devices offline after ransomware campaign
• Frequently Asked Questions About SonicWall Gen 7 Firewall Ransomware Activity  
• Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security

Mitigation Recommendations:

• Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity

Related WaterISAC PIRs: 6, 7, 8, 12