SonicWall Warns of Akira Ransomware Exploiting Known Vulnerability
SonicWall has confirmed that the recent Akira ransomware attacks are exploiting a known vulnerability in SonicWall SonicOS management access. The attacks, which have targeted VMware ESXi servers, are not connected to a zero-day vulnerability but rather the exploitation of CVE-2024-40766.
SonicWall is currently investigating fewer than 40 incidents related to this cyber activity. Many of these incidents are tied to firewall migrations where passwords were not reset. Akira ransomware group is likely using three attack vectors for initial access: CVE-2024-40766, SSLVPN Default Users Group risk, and exposed credentials in the Virtual Office Portal. SonicWall has issued new guidance on the SSLVPN Default Users Group risk and Rapid7 found threat actors abusing the Virtual Office Portal for MFA/TOTP configuration with exposed credentials.
SonicWall addressed the flaw in August 2024, and it was added to the US CISA Known Exploited Vulnerabilities (KEV) catalog in September 2024. Akira ransomware has been active since March 2023, targeting multiple organizations in various industries. The ransomware attacks are attributed to a cybercriminal group linked to the former Conti organization, employing a double-extortion model targeting stolen data and system encryption for financial gain. The group has primarily invaded industries including retail, finance, manufacturing, and medical sectors, mainly in the UK and Australia, with attacks frequently exploiting vulnerabilities in SonicWall and other SSL VPN devices.
SonicWall urges users to update their systems to the latest patched version and follow their new guidance to mitigate the risks associated with the Akira ransomware attacks. The company continues to investigate the incidents and will provide updates as necessary.
