A wave of coordinated cyberattacks has been detected targeting SonicWall Gen 7 firewalls, sparking urgent advisories for customers to disable certain encryption services. Security professionals from several major firms have tracked increased ransomware activity attributed to exploitation of a suspected zero-day flaw within the SSL VPN feature. Organizations relying on SonicWall devices for secure remote access now face heightened risks, with multiple confirmed breaches occurring even where multi-factor authentication had been enabled. The latest incidents draw attention to persistent security challenges in firewall products relied upon across diverse industries.
Reports released over the past year highlighted SonicWall’s recurring security vulnerabilities, with numerous entries in official exploited vulnerability catalogs. Past attacks typically centered on SonicWall Secure Mobile Access (SMA) 100 series devices, whereas attackers now focus on newer Gen 7 firewalls. Unlike previous breaches which mostly targeted outdated devices or publicized flaws, the current tactic leverages an apparently unknown vulnerability, enabling threat actors to bypass standard protective controls. This progression indicates that adversaries continue to evolve tactics in response to security improvements, presenting ongoing hurdles for defenders.
How Are Current Attacks Unfolding?
The recent surge in malicious activity began around July 15, with organizations encountering rapid post-compromise escalation and near-daily attack bursts since July 25. Analysts from Huntress and Arctic Wolf noted automation tools combined with hands-on intrusion, including the abuse of privileged accounts and disabling of security defenses prior to the deployment of Akira ransomware. Attackers have managed lateral movement within targeted networks, gaining access to domain controllers within a matter of hours.
What Role Does SSL VPN Play in the Exploits?
The core method of attack hinges on vulnerabilities within the SSLVPN service on SonicWall’s Gen 7 firewalls. SonicWall directed customers to disable SSLVPN capabilities while an internal investigation progresses.
“If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,”
stated Bret Fitzgerald, senior director at SonicWall. The SSLVPN has been connected to several earlier critical vulnerabilities, indicating its ongoing attractiveness as a target for cybercriminals.
Are Multiple Attacker Groups Involved in the Breaches?
Researchers observed both overlapping and divergent attack tactics during the breaches, suggesting involvement by multiple threat groups or adaptive strategies by a single actor adjusting per incident. Arctic Wolf commented on a financially motivated threat actor deploying Akira ransomware, with Mandiant’s Charles Carmakal addressing the unusual speed and scale:
“The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
The continuing investigation seeks to clarify the full scope and origin of these coordinated attacks.
The recurrence of critical vulnerabilities within SonicWall’s products, most recently the attack vector in the Gen 7 firewall’s SSLVPN, raises questions regarding the sustainability of relying solely on VPN-based perimeter security. Enterprises might consider increased network segmentation and layered security measures to reduce risk exposure from future unexpected flaws. Monitoring vendor advisories and participating in rapid patch adoption remains a core best practice. Given the history of remote access product exploitation, organizations should assess remote connectivity dependencies and incorporate alternative secure access models where feasible.
