The vulnerability’s exploitation underscores persistent risks in widely deployed network security appliances and highlights the tactical evolution of threat actors targeting authentication bypass mechanisms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated warnings about a critical zero-day vulnerability in SonicWall’s SonicOS, designating CVE-2024-53704 for immediate remediation in its Known Exploited Vulnerabilities (KEV) catalog. In September 2024, CVE-2024-40766 another critical SonicOS flaw was exploited by Akira ransomware affiliates to compromise SSLVPN accounts lacking MFA and centralized authentication. Organizations unable to patch immediately should restrict SSL VPN access to trusted IPs, disable internet-facing management interfaces, and enforce multi-factor authentication (MFA) for all VPN users. The exploit’s ability to bypass authentication undetected complicates incident response, as attackers gain persistent access without triggering traditional intrusion alerts. This improper authentication flaw, which enables remote attackers to hijack active SSL VPN sessions without credentials, has been confirmed as actively exploited in the wild. These parallels indicate that threat actors systematically target SonicWall vulnerabilities, leveraging authentication gaps to deploy ransomware payloads. This function mishandles Base64-encoded session cookies, allowing attackers to bypass authentication by crafting malicious payloads. Enforce MFA: Implement time-based one-time passwords (TOTP) or email OTPs for all SSLVPN users, eliminating reliance on single-factor authentication. This script generates a malformed cookie that triggers the authentication bypass, enabling attackers to hijack sessions without credentials8. Additionally, migrating from SSL VPNs to zero-trust network access (ZTNA) models reduces reliance on perimeter-based security, limiting attack surfaces. In a sophisticated cyberattack campaign dubbed "StaryDobry," threat actors have exploited popular games to distribute malicious software, targeting users worldwide. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Password Policies: Reset credentials for locally managed SSLVPN accounts and integrate with centralized directories like Active Directory to reduce credential theft risks7. Rapid7 further noted circumstantial evidence linking SonicWall SSLVPN breaches to ransomware initial access. The flawed processing of null characters in decoded cookies enables session hijacking, granting unauthorized access to VPN tunnels. Network Segmentation: Restrict SSL VPN and management console access to predefined IP ranges, minimizing exposure to untrusted networks. Federal agencies must patch affected systems by March 11, 2025, under Binding Operational Directive (BOD) 22-01.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 21:15:15 +0000