Over the last several days, SonicWall issued an advisory of a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSL VPN is enabled. A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass multi-factor authentication (MFA) and deploy ransomware. Threat actors are likely to pivot directly to domain controllers within hours of the initial breach.

SonicWall is actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.

Until further notice, SonicWall strongly advises, where practical, disabling the VPN service immediately and applying other mitigations in the advisory to reduce exposure while SonicWall continues its investigation.

References

SonicWall:
https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

Huntress:
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn

BleepingComputer:
https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-disable-sslvpn-amid-rising-attacks/

Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.