Sonicwall
, , ,

Ransomware gangs target SonicWall vulnerability

SonicWall is urging customers affected by CVE-2024-40766 to “please apply the patch as soon as possible.”

A vulnerability in SonicWall firewalls first reported in late August is now under active exploitation by ransomware gangs.

SonicWall is urging users to “please apply the patch as soon as possible.”

The USA’s Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 to its catalog of known exploited vulnerabilities, a signal that cybercriminals are actively exploiting the flaw. This follows reports that affiliates of the Akira ransomware gang have been using vulnerable SonicWall devices to gain initial access to targets’ networks.

CVE-2024-40766 is an improper access control vulnerability (CWE-284) with a CVSS v3 score of 9.3 that can lead to “unauthorized resource access,” or be used to crash a firewall. SonicWall’s advisory warns that the vulnerability affects version 5.9.2.14-12o and older of its Gen 5 devices, version 6.5.4.14-109n and older of its Gen 6 devices, and SonicOS build version 7.0.1-5035 and older of its Gen 7 devices.

In addition to patching, SonicWall is advising customers to reset the passwords on any locally-managed SSLVPN accounts on its Gen 5 and Gen 6 firewalls, and to enable multi-factor authentication (MFA) for all users.

Akira is an active and sophisticated ransomware group. Over the last 18 months, it has been the fifth most active ransomware gang globally, and has released information about 343 known victims. CISA estimates that as of January 1, 2024, the group had extorted $42 million in ransom payments.

Known ransomware attacks by group, April 2023 - August 2024

The vulnerability was first disclosed on August 22, 2024, and the advisory was updated just over two weeks later to indicate that it was already under active exploitation. The short time between the bug’s disclosure and its use in the wild is a stark illustration of just how quickly cybercriminals can reverse engineer a promising patch, create an exploit for it, and then use it.

The bug’s addition to CISA’s catalog means that Federal Civilian Executive Branch (FCEB) agencies now have until September 30 to remediate the vulnerability. By most standards, CISA’s timelines are brutally short, and it’s likely many organisations not bound by CISA’s directives will take longer to act, giving ransomware gangs plenty of time to make use of this new weapon.

To combat the threat of attacks like these, organisations need to ensure they have a plan in place for patching vulnerabilities quickly and efficiently, and have sufficient defence in depth to identify and stop an active attacker as quickly as possible.

ThreatDown’s Vulnerability Assessment and Patch Management solutions make it easy for you to find and fix software vulnerabilities on your endpoints, giving you more time to spend on things like potentially disruptive firewall updates. And our Managed Detection and Response (MDR) service provides round-the-clock monitoring, investigation, and remediation by expert analysts.

To learn more about dealing with Akira ransomware attacks and the work of our MDR analysts, read our guide to Akira ransomware and our anatomy of an Akira ransomware attack.