Akira ransomware gang targeting SonicWall VPN accounts

The Akira ransomware gang may be exploiting a critical remote code execution vulnerability that allows threat actors to compromise SonicWall SSL VPN accounts and gain access to firewall devices.

In a security bulletin published on Friday, Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf, warned users that Akira ransomware actors are targeting SonicWall devices through compromised SSL VPN accounts. Hostetler said the devices were vulnerable to CVE-2024-40766, an improper access control vulnerability in SonicOS. Exploitation of the flaw, which received an 9.3 CVSS score, can allow attackers to gain unauthorized access to SonicWall firewall Gen 5 and Gen 6 devices, as well as Gen 7 versions 7.0.1-5035 and older.

"In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Hostetler wrote in the security bulletin. "Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766."

Akira is known to target vulnerable VPNs, so patching is crucial. CISA published a report earlier this year that showed the gang made approximately $42 million from more than 250 victims, many by targeting Cisco VPNs.

SonicWall initially disclosed CVE-2024-40766 on Aug. 22 and advised users to update to the fixed version. Arctic Wolf stated that at the time of disclosure, there were no reports of active exploitation or an available proof-of-concept. In another security bulletin on Aug. 27, Arctic Wolf warned that SonicWall firewalls are "widely used in corporate environments" and are a popular target for attackers.

Now, Arctic Wolf has observed ongoing threat activity against the SonicOS vulnerability two weeks following disclosure as devices remain unpatched. SonicWall also updated the security advisory for CVE-2024-40766 to cite "potential" exploitation in the wild. Additionally, CISA added CVE-2024-40766 to its Known Vulnerabilities Catalog on Monday, which means federal agencies must update to the fixed version by the end of the month.

Dan Schiappa, chief product and services officer at Arctic Wolf, said it's difficult to definitively attribute CVE-2024-40766 as the initial attack vector and the company is still investigating the activity. Schiappa said one problem with attributing this type of activity is that there's not always a clear trace of exploitation due to the lack of visibility in firewall and VPN telemetry.

"In retrospective analysis, some circumstantial evidence points towards SonicWall as being a factor, however. The SonicWall vulnerability advisory being referenced here (CVE-2024-40766) was updated last Friday to indicate that the vulnerability was under active exploitation," he said. "Before that, it had been updated on August 28 to indicate an expanded scope from initial from initial disclosure, tying it to SSLVPN activity."

Arctic Wolf believes potential exploitation could have begun as early as the first week of August, but it's unclear how many organizations may have been affected.

"Unfortunately, part of the major challenges with vulnerability exploitations related to VPNs is the lack of visibility into the sheer number of organizations being targeted for exploitation," Schiappa said. "Updates that SonicWall made to their security advisory have helped teams more clearly delineate the characteristics of the vulnerability we're up against -- but we can suspect that additional news will break in the coming weeks -- especially now that CISA had added CVE-2024-40766 to their KEV catalog, which may indicate active exploitation."

Arctic Wolf urged users to upgrade SonicOS to the latest versions and to reset all SSL VPN account passwords for locally managed accounts. The security vendor also recommended implementing MFA for all local SSL VPN accounts. "To minimize potential impact, SonicWall recommends restricting firewall management to trusted sources or disabling firewall WAN management from Internet access," the bulletin said.

Earlier this year, cyber insurer Coalition published a claims report based on U.S. policyholder claims from 2023. Shelley Ma, incident response lead at Coalition, expanded on the report to TechTarget Editorial and said that SonicWall firewalls are frequently targeted by threat actors. Similarly, in 2022, Coalition also said SonicWall products could lead to higher premiums for customers because of the number of vulnerabilities exploited by attackers.

SonicWall did not respond to requests for comment at press time.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.