Akira Ransomware Exploits SonicWall Firewalls to Breach Organizations
▼ Summary
– Attackers are exploiting CVE-2024-40766, a critical flaw in SonicWall firewalls patched over a year ago, to deploy Akira ransomware.
– Recent attacks are facilitated by organizations migrating to Gen 7 firewalls without resetting local user passwords as advised by SonicWall.
– Akira affiliates use three methods: the unpatched CVE-2024-40766, a misconfigured SSLVPN Default Users Group setting, and the Virtual Office Portal to bypass security.
– The misconfigured SSLVPN setting automatically grants excessive permissions to any authenticated LDAP user, bypassing intended access controls.
– Organizations should rotate local passwords, configure MFA, set the Default LDAP User Group to “None”, restrict Virtual Office Portal access, and apply the latest patches.
Despite a critical security patch being issued over a year ago, SonicWall firewalls remain vulnerable to exploitation by Akira ransomware affiliates, who continue to breach organizational networks through unaddressed weaknesses. Recent activity shows threat actors leveraging not only the known CVE-2024-40766 vulnerability but also additional misconfigurations and access points within these widely used network security devices.
According to SonicWall, many organizations that migrated from Gen 6 to Gen 7 firewalls neglected to reset local user passwords as recommended, leaving an open door for attackers. Since early August 2025, Rapid7’s Incident Response team has observed a noticeable increase in intrusions tied to SonicWall appliances, with evidence pointing to the Akira group employing a trio of security gaps to gain unauthorized entry.
The first involves CVE-2024-40766, which remains unpatched on some systems despite available fixes. The second stems from a misconfiguration in the device’s SSLVPN Default Users Group setting. This setting automatically grants every successfully authenticated LDAP user membership to a predefined local group, irrespective of their actual Active Directory roles. If that default group has access to sensitive services, such as SSL VPN, administrative interfaces, or unrestricted network zones, any compromised AD account instantly inherits those permissions. This loophole effectively bypasses intended group-based access controls, offering attackers a direct route into the network perimeter as soon as they obtain valid credentials.
The third vulnerability involves the Virtual Office Portal hosted by SonicWall appliances. Attackers have been accessing this portal to configure MFA or TOTP on previously compromised user accounts, further solidifying their control.
The Australian Cyber Security Centre has also issued warnings about a recent surge in Akira attacks targeting vulnerable Australian organizations via this same vulnerability.
Rapid7’s responders note that the group’s affiliates follow a consistent playbook: gaining initial access through the SSLVPN component, escalating privileges to elevated or service accounts, exfiltrating sensitive files from network shares or file servers, disrupting or deleting backups, and finally deploying ransomware at the hypervisor level.
To mitigate these risks, organizations using SonicWall firewalls should immediately rotate passwords on all local accounts and remove any that are unused. It is also critical to configure MFA or TOTP policies for SonicWall SSLVPN services. Additional steps include setting the Default LDAP User Group to “None,” ensuring the Virtual Office Portal is accessible only from trusted local networks, and continuously monitoring access to it. Most importantly, all SonicWall appliances must be updated to the latest patch level.
SonicWall’s recently released SonicOS version 7.3.0 includes enhanced protections against brute force attacks and additional MFA controls, providing another layer of defense for those who apply the update promptly.
(Source: HelpNet Security)
