{"id":5206,"date":"2024-09-09T15:39:23","date_gmt":"2024-09-09T20:39:23","guid":{"rendered":"https:\/\/www.darkreading.com\/ics-ot-security\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce"},"modified":"2024-09-09T15:39:23","modified_gmt":"2024-09-09T20:39:23","slug":"akira-ransomware-actors-exploit-sonicwall-bug-for-rce","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce\/","title":{"rendered":"Akira Ransomware Actors Exploit SonicWall Bug for RCE"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed \u2014 and patched \u2014 in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.<\/span><\/p>\n

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to <\/span>add the vulnerability<\/a><\/span>, identified as <\/span>CVE-2024-40766<\/a><\/span>, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.<\/span><\/p>\n

Improper Access Control Bug<\/h2>\n

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company\u2019s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.<\/span><\/p>\n

SonicWall <\/span>first disclosed the bug<\/a><\/span> on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company’s recommended mitigations for it.<\/span><\/p>\n

Artic Wolf on Friday said it had <\/span>observed Akira ransomware affiliates<\/a><\/span> abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. “In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” Arctic Wolf said.  “Additionally, MFA was disabled for all compromised accounts.”<\/span><\/p>\n

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. “Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet,” SonicWall advised.<\/span><\/p>\n

The company is also “strongly” advocating that administrators of the company’s Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.<\/span><\/p>\n

SonicWall: A Popular Target<\/h2>\n

SonicWall’s firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK’s <\/span>National Cyber Security Center<\/a><\/span> (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.<\/span><\/p>\n

Earlier this year, <\/span>CISA, for instance<\/a><\/span>, identified China’s notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. <\/span>In a 2023 report<\/a><\/span>, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, <\/span>by state sponsored actors<\/a><\/span> and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.<\/span><\/p>\n

Concerns over heightening government exposure to such attacks prompted CISA to <\/span>issue a binding operational directive<\/a><\/span> in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors, including Akira ransomware affiliates, have begun exploiting a<\/p>\n","protected":false},"author":12,"featured_media":5207,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5206","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/akira-ransomware-actors-exploit-sonicwall-bug-for-rce.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5206"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5206\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5207"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}