An investigation revealed that ransomware groups Akira and Fog are actively exploiting the SonicWall NSA vulnerability (CVE-2024-40766), compromising over 100 companies as of December 23, 2024.
In spite of the disclosure, there are still 48,933 devices that are susceptible to attack, which places organizations in a significant and ongoing danger.
A significantly higher SonicWall NSA device ownership rate (approximately 46%) among organizations targeted by the Akira and Fog ransomware groups compared to the average rate (less than 5%) observed in victims of other ransomware groups.
Between the months of September and December, SonicWall ransomware attacks continued, with more than fifty percent of the attacks that were observed during this time period possibly being linked to the vendor.
The actual number of organizations that have been compromised is probably higher than what has been disclosed publicly because not all of the affected businesses have been identified, and some victims may continue to go unidentified.
The 50% detection rate for SonicWall exploits may be attributed to challenges in device attribution, attacker diversification of intrusion vectors, and variations in tactics among individual operators within threat actor groups.
Security vendors suspect the SonicWall NSA vulnerability may have been exploited by Akira and Fog threat actors, likely to steal credentials, which arises from SonicWall’s recommendation to reset credentials and implement MFA, despite the lack of a public PoC or detailed impact assessment, hindering definitive attribution.
Researchers observed a high concentration of SonicWall devices in organizations targeted by Akira and Fog, suggesting these threat actors actively exploit SonicWall vulnerabilities. While BlackBasta also previously leveraged SonicWall weaknesses, recent activity from this group appears to have diminished.
The evaluation of the patch status for CVE-2024-40766 in SonicWall was accomplished through the utilization of a proprietary method that involved the examination of device HTML.
The method’s accuracy was verified by comparing its output against SNMP data collected from approximately 5,000 NSA devices with exposed SNMP, confirming its effectiveness in assessing mitigation efforts for this vulnerability.
A significant number of devices (48,933) are still not patched, which leaves organizations vulnerable to potential attacks, despite the fact that the SonicWall NSA vulnerability is significant.
Vulnerability remediation efforts, particularly in some Asian countries, are lagging, and patch adoption rates have significantly decreased a month after the initial release, indicating a common trend in cybersecurity incident response.
Although the vulnerability known as CVE-2024-40766 has not been exploited in any way, it is highly likely that Akira and Fog are using it to compromise SonicWall devices.
According to the Macnica Security Research Center, 13% of global servers remain unpatched, leaving them vulnerable, where the increasing victim count suggests successful exploitation and continued attacks are probable.
.){kind=link}