Akira ransomware gang is actively exploiting CVE-2024-40766 to achieve unauthorized access to gang sonicwall equipment.
Hackers are taking advantage of the security problem to achieve access to the target network through SSL VPN & Points without any sonicwall SSL.
Sonicwall released a patch for CVE-2024–40766 last year in August, in which it was actively exploited. The defect allows unauthorized resource access and can cause firewall accidents.
At that time, Sonicwall strongly recommended that applying updates should be with a password reset for users with locally managed SSLVPN accounts.
Without turning the password after the update, actor can use credentials exposed for assured accounts to configure and obtain access to actor multi-factor authentication (MFA) or Time-based One-Time SASSWORD (TOTP) system and obtain access.
Akira was one of the first ransomware groups starting from September 2024.
An alert by the Australian Cyber Security Center (ACSC) warns new malicious activity outfits tomorrow, which urges immediate action.
“ACSC of ASD is aware of the recent increase in active exploitation of 2024 important vulnerability in Sonicwall SSL VPN (CVE -2024-40766),” Advisor reads,
“We know about Akira Rainmware targeting weak Australian outfits through Sonicwall SSL VPN,” says Australian Cyber Security Center.
Cyber security firm is rapid 7 Similar observationReporting that the Akira ransomware attacks on Sonicwall devices have recently ignited, possibly tied for incomplete treatment.
Rapid7 highlighted the methods of infiltration such as exploit the wide access permission of the default user group and to connect and connect to VPN, and the default public access to the virtual office portal on Sonicwall devices.
It should be noted that this activity has recently created confusion in the cyber security community, with several reporting that ransomware actor Sonicwall is actively exploiting a zero-day vulnerability in Sonicwall products.
The seller published a new security advisor stating that he is “highly confident that the recent SSLVPN activity is not associated with a zero-day vulnerability” and it was found to be a significant correlation with danger activity related to CVE-2024-40766. “
Last month, Sonicwall said it was investigating 40 security incidents related to this activity.
CVE-2024-40766 affects the following firewall versions:
- General 5: Soho device running version 5.9.2.14-12o and more than that
- General 6: Various TZ, NSA, and SM models running versions 6.5.4.14-109n and older
- General 7: TZ and NSA Model Sonicos Build Edition 7.0.1-5035 and older
System administrators are recommended to follow the patching and mitigation advice provided by the seller Respective bulletin,
Admins should rotate the firmware version of 7.3.0 or later, the sonicwall account password should apply the multi-factor authentication (MFA), reduce the risk of SSLVPN default groups, and the virtual office portal access will have to limit to the worldable/internal networks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
