Thursday, September 11, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks

TH Author

Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug.

Akira is also poking holes in SonicWall SSLVPN misconfigurations, abusing all of these security risks to gain access to vulnerable devices and conduct ransomware attacks, according to a Rapid7 warning on Wednesday.

“The number of Rapid7 customers utilizing SonicWall appliances is in the hundreds, and we’ve already responded to a double-digit number of customer incidents stemming from one or more of the three threats we’ve outlined in today’s advisory,” the Rapid7 incident response team told The Register. “Therefore, we think there is a potential for widespread industry impact here.”

The attacks are tied to CVE-2024-40766, a 9.8 CVSS-rated improper access control flaw originally disclosed in August 2024. Both Akira and Fog ransomware criminals used this CVE last year to gain initial access to victim orgs, and last month SonicWall said not all companies took the needed steps to mitigate the issue.

“In terms of exposure, over 438,000 SonicWall devices were still publicly accessible in the last 30 days, representing a significant attack surface,” Bitsight researcher Emma Stevens told The Register.

In other words: quite a few organizations still have some patching and other mitigations to check off their lists.

It started last year

Between September and December 2024, at least 100 organizations were compromised via CVE-2024-40766, according to Stevens, with both Akira and Fog ransomware gangs abusing the security hole to “gain initial access, typically moving to full encryption in under 10 hours in some cases.”

In early August of this year, SonicWall confirmed that it was investigating a wave of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs.

Shortly after, the firewall vendor said it had “thoroughly investigated the matter,” and a SonicWall spokesperson told The Register, “we have high confidence that this activity is related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015, not a new zero-day or unknown vulnerability.”

During the latest round of exploitation, SonicWall said it documented “fewer than 40 confirmed cases” as of early August, and said those appear to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls.

The vendor directed customers to its updated guidance that included steps to change credentials and upgrade to SonicOS 7.3.0 with stronger multi-factor authentication (MFA) protections. 

The Register has asked SonicWall for a more recent infection count, and whether it’s seen additional ransomware groups beyond Akira exploiting this bug as of 2025. We will update this story if we receive responses to our questions.

Also last month, security companies again started sounding the alarm on Akira infecting buggy SonicWall devices, with ThreatLocker and Arctic Wolf noting an uptick beginning as early as July 22, “although similar malicious VPN logins have been observed to some extent since at least October 2024.”

And on Wednesday, Rapid7 warned that SonicWall’s updated guidance around CVE-2024-40766 can present an additional security risk – if customers use the default LDAP group configurations, which can allow over-provisioning access to the SSLVPN services.

“This can allow users who are not permitted to SSLVPN to successfully obtain access to the SSLVPN irrespective of Active Directory configurations,” the security firm explained.

Rapid7’s threat hunters have also spotted miscreants accessing SonicWall appliances’ Virtual Office portal, they noted. Customers can use this portal to set up MFA and time-based one-time password (TOTP) configurations for SSLVPN users. But some default configurations allow public access.

This means attackers can “configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure,” according to Rapid7. 

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” the security shop warned.

So, in addition to applying the latest patches, make sure that MFA policies are turned on for SonicWall services, and restrict the Virtual Office portal to local-network or internal access only to avoid becoming Akira’s next victim. ®

READ MORE HERE