Vulnerable SonicWall firewalls that should have been patched a year ago for an access control vulnerability are being hacked by a ransomware gang, Australia’s cybersecurity authorities warned this week.
The Australian Cyber Security Centre is seeing an increase in active exploitation in that country of a 2024 critical vulnerability in SonicWall firewalls with SSL VPN enabled. “We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” the warning said.
CVE-2024-40766, patched just over a year ago, is an improper access control vulnerability in SonicWall SonicOS management system access. It can lead to unauthorized resource access and, in specific conditions, crashing of the firewall. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
“Organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware,” the Australian alert stressed.
Researchers at Rapid7 also issued a report this week saying its incident response team “has observed an uptick in intrusions involving SonicWall appliances.”
“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability,” it added. “Instead, there is a significant correlation with threat activity related to CVE-2024-40766.”
These alerts follow an August notice from SonicWall that it was investigating “less than 40 incidents related to Gen 7 and newer firewalls with SSLVPN enabled.”
“Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset,” SonicWall said. “Resetting passwords was a critical step outlined in the original advisory.”
This isn’t just an attack on Australia, Alan Liska, a member of the field security response team at cybersecurity provider Recorded Future, said in an interview.
“The first reporting we’ve seen of Akira exploiting this SSL VPN goes back to at least January and maybe a little bit earlier” in the US and the UK, he said.
An affiliate of the Akira ransomware-as-a-service gang is behind it, he added.
Unfortunately, Liska said, SonicWall devices tend to be hosted by smaller organizations where there may not be a dedicated IT or security team overseeing patching. “One of the reasons why ransomware actors have had so much success against VPNs is they tend to be unpatched much longer than other systems.”
In this case, not only did the patch have to be installed, but the admin user password has to be changed immediately after, he said.
According to researchers at Veeam, “[Akira ransomware] has cemented its reputation as one of the most relentless and disruptive cyber threats affecting organizations today. Akira has held the number one spot for six straight quarters in Coveware by Veeam’s case data, and in 2024, it was responsible for 14% of all ransomware incidents.” Typically, the report added, gang members gain entry to an IT network, using stolen credentials, through exposed remote access services like VPNs and Windows RDP. After that, they copy data for use in extortion, and then go after VMware ESXi servers to encrypt data.
Robert Beggs, who heads the Canadian incident response firm Digital Defence, believes the Akira ransomware gang has developed an automated system for detecting and exploiting unpatched SonicWall firewalls.
‘It is not unusual for an attacker to wait for the dust to settle before targeting a reported vulnerability,” he added. “Companies that fail to patch a known vulnerability in an edge security product such as SonicWall VPN generally have poor cyber security overall, and will make a good target.”
Recorded Future’s Liska advised CISOs and IT leaders with SonicWall firewalls in their IT environments to make sure the devices are fully patched and the latest version of SonicOS is running, and to rotate the admin password. The Canadian Centre for Cyber Security added that changing admin passwords is especially important if they were carried over during migration from Gen 6 to Gen 7. Customers should also consider limiting the number of people who have VPN access.
To lower the odds of being victimized by ransomware, Liska, who is also a member of the Institute for Security and Technology (IST) Ransomware Task Force, said organizations should:
patch all internet-exposed systems as soon as fixes are released;
enable phishing-resistant multi-factor authentication for all users;
monitor the internet for leaked credentials;
run a regular phishing security awareness campaign for employees.
CISOs can also refer to the IST’s Blueprint for Ransomware Defense for more tips.
No Responses