SonicWall firewalls targeted by fresh Akira ransomware surge

Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 

A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 

Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.

The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organisations through SonicWall SSL VPNs,” the agency said.

Rapid7’s incident response team told CyberScoop it has spotted a steady increase in attacks since July, sometimes multiple incidents per week among its customers. The narrow scope of Rapid7’s visibility suggests impact could be much wider. 

SonicWall, which initially disclosed the vulnerability in August 2024, did not respond to a request for comment. Previously patched but improperly configured devices are showing up in many compromised environments. 

“In the vast majority of cases our team is working, the SonicWall firewalls have been upgraded to a version that patches CVE-2024-40766,” Rapid7’s incident response team said in an email. “The remediation step of changing local passwords was not completed, and attackers were therefore able to gain unauthorized access to the devices.”

SonicWall last month said many of the attacks in late July involved customers that migrated from Gen 6 to Gen 7 firewalls without resetting passwords. Customers have since been impacted by multiple configuration errors, according to Rapid7.

Researchers have identified attackers abusing default lightweight directory access protocol (LDAP) group configurations, which can overprovision access to SonicWall’s SSL VPN services. Attackers have also accessed the virtual office portal on SonicWall devices, likely in a bid to find users with compromised credentials or accounts lacking multifactor authentication, according to Rapid7.

The root cause of attacks targeting SonicWall devices has shifted since researchers suggested a zero-day vulnerability might have been involved in the first series of attacks in July. SonicWall ruled that out in early August, as more attacks were discovered, and pinned the attacks on CVE-2024-40766. 

SonicWall customers are no stranger to actively exploited vulnerabilities. The vendor has appeared 14 times on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA.

Rapid7 attributes all of the recent attacks involving SonicWall firewalls to Akira ransomware. 

Akira affiliates typically steal data and encrypt systems before they attempt to extort victims. Akira ransomware impacted more than 250 organizations from March 2023 to January 2024, claiming about $42 million in extortion payments, CISA said in an advisory last year.