Akira Ransomware Actors Exploit SonicWall Bug for RCE

  /     /     /  
Publicated : 23/11/2024   Category : security


Akira Ransomware Actors Exploit SonicWall Bug for RCE


CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.



Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.
The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to
add the vulnerability
, identified as
CVE-2024-40766
, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.
CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.
SonicWall
first disclosed the bug
on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the companys recommended mitigations for it.
Artic Wolf on Friday said it had
observed Akira ransomware affiliates
abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory, Arctic Wolf said.  Additionally, MFA was disabled for all compromised accounts.
SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet, SonicWall advised.
The company is also strongly advocating that administrators of the companys Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.
SonicWalls firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UKs
National Cyber Security Center
(NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.
Earlier this year,
CISA, for instance
, identified Chinas notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access.
In a 2023 report
, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses,
by state sponsored actors
and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.
Concerns over heightening government exposure to such attacks prompted CISA to
issue a binding operational directive
in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Akira Ransomware Actors Exploit SonicWall Bug for RCE