Akira Ransomware Exploits SonicWall Firewall RCE Vulnerability

The SonicOS remote code execution vulnerability (CVE-2024-40766) has been actively exploited since its disclosure, which impacts SonicWall firewall devices, allowing attackers to gain unauthorized access and potentially execute arbitrary code. 

The scope of the vulnerability has expanded to include both management access and local SSLVPN accounts, emphasizing the severity of the threat.

Akira ransomware attackers exploited a vulnerability in SonicWall devices to compromise local SSLVPN user accounts without MFA and then used these compromised accounts to gain initial access and deploy ransomware, highlighting the importance of strong authentication measures and timely firmware updates to mitigate such attacks.

SonicOS versions 5.9.2.14-12o and older for SOHO (Gen 5) Firewalls and 6.5.4.14-109n and older for Gen6 Firewalls are affected by security vulnerabilities, which have been addressed in SonicOS versions 5.9.2.14-13o for SOHO (Gen 5) Firewalls and 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen6 Firewall appliances).

SonicWall Gen7 firewalls running SonicOS versions 7.0.1-5035 and older are vulnerable to an undisclosed security flaw, which allows unauthorized access to the firewall’s management interface and recommends updating to the latest SonicOS version, 7.0.1-5072 or later, to mitigate the risk.

They recommend resetting SSLVPN account passwords for locally managed accounts on Gen5 and Gen6 devices to enhance security. Administrators should manually enable the “User must change password” option for each account to force users to update their credentials, which helps prevent unauthorized access to the network.

To prevent potential security breaches, users must update their passwords in all affected systems, including Active Directory and other centralized authentication solutions, which will ensure that compromised credentials cannot be exploited for further attacks, such as ransomware, across multiple platforms.

To access local user information on a GEN5 firewall, navigate to the “Users” section and select “Local Users.” To configure local user settings on a GEN6 firewall, navigate to the “Manage” menu, then select “System Setup,” followed by “Users” and “Local Users & Groups.” 

According to Arctic Wolf, it allows you to manage and create local user accounts for accessing the firewall’s interface and performing administrative tasks. 

To enhance security, enabling multi-factor authentication (MFA) for all local SSLVPN accounts, which will require additional verification steps, such as using a code generated by an app, to access the VPN, helps prevent unauthorized access and strengthens overall network security.

To mitigate security risks, SonicWall advises disabling WAN management and SSLVPN access from the internet, which can be achieved by restricting firewall management to trusted sources or disabling WAN management entirely, and SSLVPN access should be limited to trusted sources or disabled from the internet. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here