Akira Ransomware Campaign Exploits SonicWall SSLVPN Vulnerability

Akira ransomware affiliates leverage a vulnerability (CVE-2024-40766) in SonicWall's firewall devices, compromising SSLVPN user accounts not integrated with centralized authentication solutions

Akira Ransomware Campaign Exploits SonicWall SSLVPN Vulnerability
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 6, 2024, Arctic Wolf Threat Intelligence reported a surge in ransomware attacks exploiting SonicWall SSLVPN accounts. The Akira ransomware affiliates leverage a vulnerability (CVE-2024-40766) in SonicWall's firewall devices, compromising SSLVPN user accounts not integrated with centralized authentication solutions, such as Microsoft Active Directory. This critical vulnerability, initially disclosed on August 22, 2024, now appears to be actively exploited, posing significant risks to organizations using the affected systems.

Report Overview

The remote code execution vulnerability, CVE-2024-40766, was first disclosed in SonicOS and affected several SonicWall firewall models. When initially announced, there was no indication of active exploitation or any available proof-of-concept exploits. However, as of early September, security advisories have been updated to reveal ongoing exploitation. Specifically, the vulnerability allows attackers to target management access and local SSLVPN accounts on SonicWall devices with no multi-factor authentication (MFA) for the compromised accounts.

Akira ransomware affiliates have used compromised local SSLVPN accounts on vulnerable SonicWall devices as the primary entry point into targeted networks. The ransomware campaign observed by Arctic Wolf found that these accounts lacked integration with centralized authentication methods, leaving them vulnerable to attack. Additionally, the SonicOS firmware versions on affected devices were within the range known to be exploitable via CVE-2024-40766.

MFA was disabled for all the affected accounts, providing attackers with a straightforward route to gain access. Once inside the network, attackers likely used standard ransomware tactics, encrypting data and demanding a ransom for the decryption key.

The vulnerability impacts various SonicWall firewall models, including Gen5, Gen6, and Gen7 devices running older versions of SonicOS firmware. Failure to patch these devices could leave organizations vulnerable to ransomware attacks, data breaches, and significant operational downtime.

Affected devices include:

  • SOHO (Gen 5) Firewalls with SonicOS versions 5.9.2.14-12o and older.
  • Gen6 and Gen7 Firewalls running SonicOS versions 6.5.4.14-109n and older.

Arctic Wolf warns that organizations using these devices without the latest firmware updates or MFA-enabled SSLVPN accounts are at an increased risk of ransomware attacks.

Insights and Analysis

Arctic Wolf advises all organizations to update SonicWall devices to the latest supported SonicOS firmware versions. Updated patches are available on the SonicWall portal (mysonicwall.com), and users are urged to apply them immediately.

Password Reset:

Organizations should reset all SSLVPN account passwords for locally managed accounts and enforce password changes for all users. SonicWall administrators can manually enable the "User must change password" option in the system setup.

Enable MFA:

SonicWall recommends enabling MFA for all locally managed SSLVPN accounts to add an additional layer of protection. Administrators can refer to SonicWall's knowledge base for detailed instructions on configuring two-factor authentication (2FA) for SSL VPN.

Restrict WAN Access:

To mitigate further risk, organizations are encouraged to turn off WAN management and SSLVPN access from the internet or restrict access to trusted sources. Limiting these exposures can significantly reduce the attack surface available to ransomware affiliates.

The Akira ransomware campaign highlights the critical need for organizations to remain vigilant in applying security patches and enforcing best practices like MFA. SonicWall's advisory and Arctic Wolf's threat intelligence underline the importance of immediate action to secure vulnerable devices and prevent further exploitation. Organizations should act swiftly to patch affected systems, reset user passwords, and enable multi-factor authentication to minimize the risk of ransomware attacks.

Indicators of Compromise (IOCs)

No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Table

TacticTechniqueIDDescription
Initial AccessExploit Public-Facing ApplicationT1190Compromise of SSLVPN accounts through exploitation of the CVE-2024-40766 vulnerability in SonicWall devices.
PersistenceValid AccountsT1078Attackers used valid, compromised SSLVPN credentials to maintain access.

References

Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts | Arctic Wolf
In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.
NVD - cve-2024-40766
Security Advisory