Akira ransomware sets sights on vulnerable SonicWall devices

Multiple misconfigurations in SonicWall SSL VPN instances have been leveraged by the Akira ransomware operation in their intrusions, The Register reports.

Aside from targeting vulnerable SonicWall devices impacted by the critical improper access vulnerability CVE-2024-40766 which was recently noted by SonicWall to be related to the compromise of an already patched 2024 flaw Akira has also been setting its sights on default LDAP group configurations and SonicWall appliances' Virtual Office portal to infiltrate networks, according to an alert from Rapid7.

"The number of Rapid7 customers utilizing SonicWall appliances is in the hundreds, and we've already responded to a double-digit number of customer incidents stemming from one or more of the three threats we've outlined in today's advisory," said Rapid7.

Intrusions exploiting CVE-2024-40766, which have already compromised at least 100 entities during the last four months of 2024, could still affect over 438,000 internet-exposed SonicWall instances, noted Bitsight researcher Emma Stevens.