Sonicwall SSL VPN vulnerability tracked as CVE-2024-40766 has been exploited in the recent cyberattacks involving Akira and Fog ransomware.
Initial access to victim environments was facilitated through compromised SonicWall SSL VPN accounts, often local to the devices and lacking MFA, which were exploited by threat actors who leveraged vulnerabilities like CVE-2024-40766 or brute-force attacks.
Malicious logins frequently originated from VPS providers and were associated with ransomware groups like Akira. The deletion of firewall logs often marked successful intrusions to hinder investigation efforts.
To reduce the impact of these threats, it is essential to implement timely detection and prevention strategies, such as monitoring for suspicious VPN logins from shared IP addresses
The rapid escalation of these attacks, with encryption occurring within hours, underscores the critical need for organizations to prioritize the security of their SonicWall firewalls and implement robust security measures to mitigate the risks associated with ransomware.
Somicwall urges customers to apply patches as soon as possible. It also provided a workaround to minimize potential risks, they recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. Similarly, for SSLVPN, ensure that access is limited to trusted sources or disable SSLVPN access from the Internet.
The investigations reveal a significant rise in ransomware attacks targeting SonicWall firewalls since August 2024. However, definite proof of exploitation of vulnerabilities like CVE-2024-40766 is lacking, compromised VPN credentials, possibly obtained through data breaches, are suspected.
The threat actors’ tactics have evolved, including rapid data exfiltration and expanding target sectors beyond education.
Organizations are required to prioritize firmware updates, monitor VPN logins, maintain secure backups, and actively monitor for post-compromise activities in order to reduce the likelihood of these risks occurring.
For more information, refer to the blog
