Akira Ransomware Group Exploits SonicWall Vulnerability for Remote Code Execution

September 9, 2024

Threat actors, including Akira ransomware affiliates, have started exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed and patched in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month. The US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability, identified as CVE-2024-40766, to its catalog of known exploited vulnerabilities (KEV). CISA has urged federal civilian executive branch (FCEB) agencies to address this vulnerability by Sept. 30.

The CVE-2024-40766 vulnerability is an improper access control bug in the management access component of SonicWall SonicOS running on SonicWall Firewall Gen 5 and Gen 6 devices, and Gen 7 devices running SonicOS 7.0.1-5035 and older. This vulnerability allows attackers to gain complete control of affected devices and in some cases cause the firewall to crash. SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out of a possible maximum of 10 on the CVSS scale. On Sept. 6, SonicWall updated the advisory to include local SSLVPN accounts as being vulnerable to CVE-2024-40766.

Arctic Wolf reported on Friday that it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. SonicWall has urged customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and disable WAN management via the Internet. SonicWall has also advised limiting or disabling SSLVPN access from the Internet. Furthermore, SonicWall has strongly recommended that administrators of Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. SonicWall also recommends enabling multifactor authentication (MFA) for all SSLVPN users.

SonicWall's firewall products, like routers, VPNs, and other network security technologies, are attractive attack targets due to the elevated privileges threat actors can gain on a target network by compromising these products. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have repeatedly warned about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices. Earlier this year, CISA identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.