Ransomware, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security

SonicWall SSL VPNs still under attack from Akira ransomware group

Business person uses laptop to reset password. Security code displayed on screen. Cybersecurity concept. Modern tech for data protection. Person enters security code, on laptop. Password reset page

(Adobe Stock)

The Akira ransomware group continued its attacks on SonicWall SSL VPN devices over the past month by taking advantage of previously compromised accounts, according to a Sept. 10 blog by Rapid7.

Security teams should take note that SonicWall posted last month that the SSL VPN activity aimed at its firewalls took advantage of a year-old 9.3 vulnerability — CVE-2024-40766 — in which local user passwords were carried over during migration and not reset.

According to Rapid7, the fix for the year-old flaw came in the form of a patch from SonicWall. But within the remediation steps was an additional step of resetting all local account passwords — which appears to be a critical step within the remediation process that was missed by a handful of SonicWall clients.

“This risk caused the Akira ransomware group to gain network access via SonicWall devices without using an exploit, but rather by reusing previously compromised accounts and passwords,” said the researchers.

The Rapid7 researchers said anyone using SonicWall firewalls should validate the devices’ patch levels, make sure any previous remediation steps from any CVEs were completed successfully, and perform an audit on security configurations. This includes inventory of any local accounts, LDAP group configurations, access policies for Virtual Office Portals, and MFA configurations for users. Additionally, if clients have the ability to collect and store SonicWall logs, these can also assist if any investigations are required.

Lawrence Pingree, technical evangelist at Dispersive.io, added that security pros are starting to realize that protocols and tools like SSL and IPSec are big targets because of how these are implemented. Pingree said patching and remediating vulnerable infrastructure is difficult because of the traffic and uptime requirements and limited change windows for patching.

“In this case, the hackers seemed to exploit a design flaw, something that developers can quickly remediate,” said Pingree. “Keep in mind, just because a device is a security device, does not mean it can't or won't become vulnerable, so upgrading the network and eliminating attack surfaces should be a key focus area.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Anti-MalwareAntivirus SoftwareBring Your Own Device (BYOD)Buffer OverflowBugEndpoint SecurityExtranetFirmwareKeyloggerRegistry

You can skip this ad in 5 seconds