TT-CSIRT – 444.05.08.25 – Increased Threat Activity Targeting SSLVPN on Gen 7 SonicWall Firewalls
Please be advised that SonicWall has detected a substantial rise in cyber incidents within the past 4 days concerning Gen 7 SonicWall Firewalls that have SSL VPN activated.
An ongoing investigation is being conducted to ascertain if the threat activity is associated with a previously disclosed vulnerability or a newly identified one.
Impact
-
- Remote attackers may be exploiting SSL VPN services on Gen 7 firewalls.
-
- The activity may bypass standard authentication protections, including MFA in some cases.
-
- There is potential for unauthorized access, lateral movement, or persistence within affected environments.
SonicWall strongly advises all partners and customers using Gen 7 SonicWall firewalls to take the following actions
Recommended Mitigation Steps:
1. Turn off SSLVPN services wherever it is feasible.
NOTE: It is important to adhere to all the following steps even if disabling SSLVPN is not an option.
2. Restrict SSLVPN access to recognized source IP addresses.
3. Activate Security Services
• Enable features like Botnet Protection and Geo-IP Filtering. These are effective in identifying and blocking known threat actors that target SSL VPN endpoints.
4. Implement Multi-Factor Authentication (MFA)
• Require MFA for all remote access to mitigate the risk of credential misuse.
NOTE: Some reports indicate that enforcing MFA on its own may not safeguard against the activity being examined.
5. Delete Unused Accounts
• Remove any inactive or unnecessary local user accounts on the firewall.
• Be especially mindful of those who have SSLVPN access.
6. Maintain Strong Password Practices
• Promote frequent password updates for all user accounts.
References:
If you have any queries, comments, or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt .
