Ethical Hacking News
Akira ransomware is once again exploiting a critical vulnerability in SonicWall devices, leaving numerous organizations vulnerable to data breaches due to unpatched SSLVPN endpoints. The attackers are using the bug to bypass multi-factor authentication (MFA) or time-based one-time passwords (TOTP), granting unauthorized access. Organizations with unpatched SonicWall devices should apply the latest available firmware and follow SonicWall's recommended remediation measures immediately.
Akira ransomware is exploiting a critical-severity access control bug in SonicWall devices (CVE-2024-40766) that allows unauthorized resource access and can cause firewall crashes if left unpatched. The vulnerability has been recognized by several cybersecurity firms and organizations, including Rapid7, which have observed recent re-ignition of Akira ransomware attacks on SonicWall devices. A patch for the bug was released in August 2024, but some organizations have failed to apply it in a timely manner, enabling Akira ransomware actors to launch targeted attacks. Organizations that use SonicWall security solutions are urged to update their devices to the latest available firmware version, rotate account passwords, and enforce MFA to mitigate the risk. The impact of this vulnerability is extensive, affecting several generations of SonicWall firewalls, including Gen 5, Gen 6, and Gen 7 models running different firmware versions.
Akira ransomware, a notorious group known for its aggressive tactics in compromising networks via unpatched vulnerabilities, has been spotted actively exploiting a critical-severity access control bug in SonicWall devices. This vulnerability, identified as CVE-2024-40766, has already been recognized by several cybersecurity firms and organizations, including Rapid7, who have observed that Akira ransomware attacks on SonicWall devices have recently re-ignited, likely tied to incomplete remediation.
For those unfamiliar with the issue, CVE-2024-40766 is a vulnerability in the default SSLVPN endpoint of SonicWall's network security appliances. This flaw allows unauthorized resource access and can cause firewall crashes if left unpatched. In August 2024, SonicWall released a patch for this critical-severity bug, which has been met with widespread adoption among organizations that use their security solutions.
However, despite the availability of a patch, some organizations have failed to apply it in a timely manner. This lack of urgency has enabled Akira ransomware actors to capitalize on this vulnerability and launch targeted attacks on networks that have not yet patched their SonicWall devices.
Akira ransomware has been linked to several high-profile breaches in recent months, including those involving major organizations in Australia. The attackers leverage the security issue to gain access to target networks via unpatched SonicWall SSL VPN endpoints. This method allows them to bypass multi-factor authentication (MFA) or time-based one-time passwords (TOTP), granting unauthorized access.
In a statement released last month, SonicWall noted that it had investigated up to 40 security incidents related to this activity. The vendor has since issued an advisory urging organizations to apply the patch and take additional measures to secure their networks, including rotating account passwords, enforcing MFA, mitigating the SSLVPN Default Groups risk, and restricting Virtual Office Portal access.
Cybersecurity firm Rapid7 has also been monitoring this vulnerability and warns that threat actors are exploiting it in various ways. These include using broad access permissions of default users groups for authentication and connecting to VPNs, as well as leveraging the public access permission for SonicWall devices' Virtual Office Portal. It is essential for organizations to follow SonicWall's advice for remediation.
The impact of this vulnerability is extensive, affecting several generations of SonicWall firewalls, including Gen 5, Gen 6, and Gen 7 models running different firmware versions.
System administrators are strongly advised to update their devices to the latest available firmware version, rotate account passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict access to Virtual Office Portal to trusted or internal networks. Organizations should ensure that these patches are applied promptly to prevent potential attacks from Akira ransomware.
Furthermore, a recent alert issued by the Australian Cyber Security Center (ACSC) has warned organizations of this new malicious activity, urging immediate action. This incident highlights the importance of keeping up-to-date with security patches and actively monitoring networks for suspicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomware-Exploits-Critical-SonicWall-SSLVPN-Flaw-Leaving-Organizations-Vulnerable-to-Data-Breaches-ehn.shtml
Published: Thu Sep 11 11:51:42 2025 by llama3.2 3B Q4_K_M
