Technical Advisory: SonicWall Targeted by Ransomware Group

Bitdefender MDR has observed a significant increase in malicious activity targeting SonicWall Gen 7 (and newer) firewalls with SSL VPN enabled. While initial observations suggested a likely zero-day vulnerability, SonicWall has since stated with high confidence that this activity correlates with CVE-2024-40766. 

This vulnerability is an improper access control flaw in SonicOS management access and SSL VPN, first published in August 2024. Many observed incidents appear to be related to migrations from Gen 6 to Gen 7 firewalls where local user passwords were carried over but not subsequently reset, a critical step outlined in the original advisory. Threat actors are exploiting this to gain initial access, bypass MFA, establish persistence, move laterally, and were observed deploying Akira ransomware. 

The Bitdefender MDR team has been working closely with our customers who use SonicWall devices. We are releasing this advisory to make sure all SonicWall users - including those not using our MDR service - have the necessary information to protect their systems. 

Affected Products 

• SonicWall Gen 7 (and newer) series firewalls with SSL VPN enabled 

• Specifically confirmed in TZ and NSa-series SonicWall firewalls

• Vulnerability confirmed in firmware versions 7.2.0-7015 and earlier 

Threat Analysis 

This campaign is characterized by rapid exploitation and post-exploitation actions. Attackers are leveraging access to SonicWall SSL VPNs to breach internal networks, often pivoting directly to domain controllers within hours of initial compromise. The core issue is now understood to be related to CVE-2024-40766, an improper access control flaw in SonicOS management access and SSL VPN that can lead to unauthorized resource access and, in specific conditions, cause the firewall to crash. 

A significant factor in observed incidents is the migration of configurations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over and not subsequently reset, a step that was critical to reset according to the original advisory. SonicOS 7.3 includes enhanced protections against brute-force password and MFA attacks, which were more feasible in earlier versions. Even fully patched devices with MFA enabled have been compromised in some instances, suggesting an as-yet-unpublished authentication or session flaw or issues with the MFA enforcement itself. 

Bitdefender MDR has noted at least one incident in August 2025 that mirrors the widely reported activity, with previous incidents between June and August 2025 involving similar SonicWall firewall exploits as an attack vector or part of the attack chain. Earlier malicious VPN logins have been observed since at least October 2024. 

(Note: A separate, ongoing campaign by UNC6148 is also targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances with a tailored backdoor named OVERSTEP, leveraging stolen credentials and OTP seeds. This advisory primarily focuses on the Gen 7 firewall activity.) 

Observed Attack Playbook 

1. Initial Breach: Gaining access through the vulnerable SonicWall SSL VPN appliance.
2. Abuse Privileged Accounts: Immediately gaining administrative access by leveraging over-privileged LDAP or service accounts (e.g., sonicwall, LDAPAdmin). We’ve also observed them running scripts to dump and decrypt credentials from Veeam Backup databases
3. Establish Command and Control (C2) & Persistence: Deploying Cloudflared tunnels and OpenSSH, often staged in C:\ProgramData, to maintain a durable backdoor. Attackers also install RMMs like AnyDesk, ScreenConnect, or RustDesk, and create new user accounts, including backupSQL and lockadmin, sometimes adding them to Domain Admins or Remote Desktop Users groups.
4. Enumeration: Utilizing tools like Advanced_IP_Scanner or built-in Windows utilities (nltest.exe, PING.EXE, PowerShell Get-ADComputer) to gather network and account information.
5. Lateral Movement & Credential Theft: Employing WMI and PowerShell Remoting to move across the network. Scripts are used to dump and decrypt credentials from Veeam Backup databases, back up the NTDS.dit Active Directory database for offline cracking using wbadmin.exe, and harvest browser login data. Attackers use Living-off-the-Land (LotL) techniques, making detection difficult. This includes LSASS password manipulations and pass-the-hash methods, leading to golden ticket acquisition.
6. Data Staging and Exfiltration: Using tools such as WinRAR for archiving and FileZilla FTP Client for data exfiltration.
7. Ransomware Deployment: The final objective is Akira ransomware deployment, often via executables like w.exe or win.exe. Recovery is complicated by deletion of Volume Shadow Copies with vssadmin.exe (GravityZone’s Ransomware Mitigation is not relying on this OS feature).

Recommendations 

1. Update Firmware to Version 7.3.0: Immediately update all affected SonicWall Gen 7 firewalls to firmware version 7.3.0. This version includes enhanced protections against brute-force and MFA attacks.

2. Reset All Local User Passwords: Reset all local user account passwords for accounts with SSL VPN access, especially those that were carried over during a migration from Gen 6 to Gen 7 firewalls. Rotate all VPN credentials, including both local user and LDAP account passwords used for Active Directory integration.
 
3. Disable SSL VPN Services (if possible): If not business-critical, strongly consider disabling SSL VPN access on your SonicWall appliances until a patch or definitive guidance is available.

4. Restrict SSL VPN Access: If disabling is not feasible, immediately restrict access to a minimal allow-list of known, trusted IP addresses.

5. Audit and Secure Privileged Accounts: Ensure any service accounts (e.g., sonicwall, LDAPAdmin) follow the principle of least privilege and are NOT Domain Admins. Remove any inactive or unused local firewall user accounts, particularly those with SSLVPN access. 

6. Enforce Multi-Factor Authentication (MFA): Ensure MFA is enabled for all remote access to reduce the risk of credential abuse. While reports indicate MFA alone may not always prevent compromise in this campaign due to the specific nature of the vulnerability, it remains a critical defense layer. 

7. Enable Security Services: Activate services such as Botnet Protection and Geo-IP Filtering on your SonicWall firewall to help detect and block known threat actors targeting SSL VPN endpoints.

8. For GravityZone users, enable Ransomware Mitigation policies as soon as possible. If you have GravityZone PHASR deployed, look for detections from Living Off The Land and Remote Admin Tools activity types.

Bitdefender MDR and Labs teams are continuously monitoring this threat and will provide updates as new information becomes available as well as developing and deploying detection signatures within our Endpoint Detection and Response (EDR) solutions based on emerging threats and telemetry.