Akira Ransomware Actors Exploit SonicWall Bug for RCE

CISA has added CE-2024-40766 to its known exploited vulnerabilities catalog.

Jai Vijayan, Dark Reading

September 9, 2024

2 Min Read
a red ransomware button on a keyboard with a broken padlock on top of it

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its catalog of known exploited vulnerabilities (KEV). The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

Improper Access Control Bug

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Related:Linux Ransomware Threats: How Attackers Target Linux Systems

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

Continue Reading This Article on Dark Reading

Read more about:

Dark Reading

About the Authors

Jai Vijayan

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

See more from Jai Vijayan
Dark Reading

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

See more from Dark Reading
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a stressed employee at their laptop and collaboration icons gone amok
Unified Communications
Microsoft Teams Is Acting Up. What Can We Do?Microsoft Teams Is Acting Up. What Can We Do?
byBrien Posey
Sep 12, 2024
4 Min Read
person placing a block between two columns of blocks
IT Management
Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?
byNathan Eddy
Sep 7, 2024
7 Min Read
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge
byIan Horowitz
Aug 30, 2024
1 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
a wall and fire with the words linux uncomplicated firewall (ufw) tutorial, configure and manage
Linux OS
Linux UFW (Uncomplicated Firewall) Configuration Made EasyLinux UFW (Uncomplicated Firewall) Configuration Made Easy
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles