Threat actors linked to the Akira ransomware group have ramped up attacks targeting SonicWall devices, exploiting a known high-risk vulnerability to gain initial access to networks.
Cybersecurity firm Rapid7 reported an increase in intrusions involving SonicWall appliances over the past month, correlating with a spike in Akira activity observed since late July.
The attacks are leveraging CVE-2024-40766, an improper access control issue affecting SonicWall firewalls. The flaw stems from improper password handling during local user account migration. SonicWall has confirmed the exploitation and warned customers of escalating brute-force attempts.
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766,” the company said in an advisory.
“We are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset,” the vendor added.
Rapid7 said it has seen hackers accessing the SonicWall Virtual Office Portal used to set up multi-factor authentication (MFA) and time-based one-time passwords (TOTP) for SSLVPN users. In some default setups, the portal is publicly accessible. If attackers already have a user's login credentials, they may be able to set up MFA or TOTP themselves.
The Australian cyber authorities have also released a warning about a recent increase in active exploitation in Australia of CVE-2024-40766 in SonicWall SSL VPNs.
Organizations that use SonicWall devices in their networks are advised to take preventive measures such as rotating passwords and removing unused local accounts, enabling MFA for SSLVPN, addressing the SSLVPN Default Groups risk, restricting Virtual Office Portal access to internal or trusted networks, monitoring access on port 4433, and ensuring all devices are fully patched.