Akira Ransomware Actively Exploits Critical SonicWall VPN Flaw
▼ Summary
– The Akira ransomware gang is exploiting CVE-2024-40766, a critical SonicWall vulnerability, to gain unauthorized network access via unpatched SSL VPN endpoints.
– SonicWall patched this flaw in August 2024, warning that password resets for local SSLVPN accounts are essential to prevent credential misuse.
– The Australian Cyber Security Centre and Rapid7 have observed increased attacks, noting that incomplete remediation contributes to the risk.
– SonicWall confirmed the activity exploits the known CVE-2024-40766, not a zero-day, and impacts specific firewall versions across Gen 5, 6, and 7 devices.
– Recommended actions include updating to firmware 7.3.0 or later, rotating passwords, enforcing MFA, and restricting Virtual Office Portal access.
A dangerous ransomware group known as Akira is now actively targeting a critical vulnerability in SonicWall VPN appliances, putting unpatched networks at serious risk. The attackers are exploiting CVE-2024-40766, a security flaw from last year, to break into corporate systems through exposed SSL VPN endpoints. SonicWall issued a patch for this vulnerability back in August 2024, warning even then that it was already being used in active attacks.
This particular weakness allows unauthorized individuals to access protected resources and can even cause firewalls to crash. At the time of the patch release, SonicWall emphasized that updating the firmware alone was not enough. They strongly advised administrators to also reset passwords for all locally managed SSL VPN accounts. Failing to change these credentials could let attackers use stolen login details to bypass or reconfigure multi-factor authentication settings.
The Akira ransomware operation was among the first to weaponize this vulnerability, with malicious activity observed as early as September 2024. Just yesterday, the Australian Cyber Security Centre (ACSC) issued an urgent alert, noting a sharp rise in exploitation attempts targeting Australian organizations. The agency confirmed that Akira is actively going after vulnerable SonicWall VPN installations.
Cybersecurity firm Rapid7 has corroborated these findings, reporting a renewed wave of Akira attacks tied to incomplete patching efforts. The group is taking advantage of overly permissive default settings, such as the broad access rights granted to the Default Users Group and the public accessibility of SonicWall’s Virtual Office Portal.
Some initial reports had mistakenly suggested the attacks were leveraging a new zero-day vulnerability, but SonicWall has since clarified the situation. The company stated with high confidence that the ongoing incidents are linked to CVE-2024-40766, not a new flaw. They are currently investigating up to 40 security incidents related to this exploitation campaign.
The vulnerability affects several generations of SonicWall firewalls, including Gen 5 SOHO devices using version 5.9.2.14-12o or earlier. Administrators are urged to immediately implement the mitigation steps provided by SonicWall. Key actions include upgrading to firmware version 7.3.0 or newer, changing all SonicWall account passwords, enforcing multi-factor authentication, tightening default group permissions, and limiting Virtual Office Portal access to trusted internal networks only.
(Source: Bleeping Computer)
