Cybersecurity - Insights, Cybersecurity - News, News - Insights, Observability

Akira Ransomware Exploits Year-Old SonicWall Vulnerability

Posted on by Karmina Clemente
11
Sep

Cybersecurity researchers have reported that the Akira ransomware group is actively exploiting a year-old vulnerability in SonicWall firewalls (CVE-2024-40766) in a new wave of attacks. Rapid7 warns that the attackers may be leveraging multiple attack vectors simultaneously to gain initial access.

About the Vulnerability

The flaw, assigned a CVSS score of 9.3, is an improper access control issue that can allow threat actors to access restricted resources and, under certain conditions, cause the firewall to crash. Exploitation of this vulnerability was detected soon after SonicWall issued an advisory in August 2024, which has since been updated with additional mitigation recommendations.

SonicWall has urged all users of Gen5 and Gen6 firewalls with locally managed SSLVPN accounts to update their passwords immediately. Administrators are also advised to enable the “User must change password” option for each local account to prevent unauthorized access.

Recent Exploitation Activity

Rapid7 reports a spike in attacks targeting vulnerable SonicWall devices, attributed to the Akira ransomware group. While CVE-2024-40766 is a primary vector, the attackers may also be exploiting:

  1. SSLVPN Default Users Group – a configuration weakness allowing unauthorized SSLVPN access.
  2. Virtual Office Portal – some SonicWall appliances are configured for public access, which could be abused for initial entry.

Evidence suggests that Akira may be combining all three vulnerabilities to maximize access and facilitate ransomware deployment.

Akira Ransomware Tactics

Active since at least 2023, the Akira gang targets edge devices to gain initial access, escalate privileges, steal sensitive files, erase backups, and deploy file-encrypting ransomware at the hypervisor level.

Recommendations for Organizations

To protect against these attacks, organizations should:

  • Apply all SonicWall patches immediately.
  • Follow all vendor-recommended mitigations.
  • Rotate passwords for all SonicWall accounts.
  • Enable multi-factor authentication (MFA) for SSLVPN services.
  • Mitigate the SSLVPN Default Users Group risk.
  • Restrict access to the Virtual Office Portal.

Proactive patching and proper configuration remain the most effective defenses against ransomware groups targeting network edge devices.

Source: https://www.securityweek.com/akira-ransomware-attacks-fuel-uptick-in-exploitation-of-sonicwall-flaw

Karmina Clemente