The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity entry management vulnerability, to realize unauthorized entry to SonicWall units.
The hackers are leverging the safety difficulty to realize entry to focus on networks by way of unpatched SonicWall SSL VPN endpoints.
SonicWall launched a patch for CVE-2024-40766 final yr in August, marking it as actively exploited. The flaw permits unauthorized useful resource entry and might trigger firewall crashes.
On the time, SonicWall strongly really useful that making use of the replace needs to be accompanied by a password reset for customers with regionally managed SSLVPN accounts.
With out rotating the passwords after the replace, menace actors might use uncovered credentials for legitimate accounts to configure the multi-factor authentication (MFA) or time-based one-time sassword (TOTP) system and achieve entry.
Akira was among the many first ransomware teams to actively exploit it in beginning September 2024.
An alert from the Australian Cyber Safety Middle (ACSC) yesterday warns organizations of the brand new malicious exercise, urging speedy motion.
“ASD’s ACSC is conscious of a latest improve in energetic exploitation in Australia of a 2024 important vulnerability in SonicWall SSL VPNs (CVE-2024-40766),” reads the advisory.
“We’re conscious of the Akira ransomware focusing on weak Australian organizations via SonicWall SSL VPNs,” says the Australian Cyber Safety Centre.
Cybersecurity agency Rapid7 has made comparable observations, reporting that Akira ransomware assaults on SonicWall units have not too long ago re-ignited, doubtless tied to incomplete remediation.
Rapid7 highlights intrusion strategies equivalent to exploiting the broad entry permission of the Default Customers Group to authenticate and connect with the VPN, and the default public entry permission for the Digital Workplace Portal on SonicWall units.
It needs to be famous that this exercise has not too long ago generated confusion within the cybersecurity neighborhood, with many reporting that ransomware actors are actively exploiting a zero-day vulnerability in SonicWall merchandise.
The seller revealed a brand new safety advisory saying that it has “excessive confidence that the latest SSLVPN exercise isn’t linked to a zero-day vulnerability” and that it discovered “vital correlation with menace exercise associated to CVE-2024-40766.”
Final month, SonicWall famous that it was investigating as much as 40 safety incidents associated to this exercise.
CVE-2024-40766 impacts the next firewall variations:
- Gen 5: SOHO units operating model 5.9.2.14-12o and older
- Gen 6: Varied TZ, NSA, and SM fashions operating variations 6.5.4.14-109n and older
- Gen 7: TZ and NSA fashions operating SonicOS construct model 7.0.1-5035 and older
System directors are really useful to observe the patching and mitigation recommendation supplied by the seller within the associated bulletin.
Admins ought to replace to firmware model 7.3.0 or later, rotate SonicWall account passwords, implement multi-factor authentication (MFA), mitigate the SSLVPN Default Teams threat, and prohibit Digital Workplace Portal entry to trusted/inner networks.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
