Threat Research

Akira Ransomware Exploits SonicWall Vulnerability (CVE-2024-40766) – Urgent Patching Needed – SOCRadar® Cyber Intelligence Inc.

SocRadar

The SonicWall CVE-2024-40766 vulnerability, impacting SSLVPN and management access, has been actively exploited in the wild by the Akira ransomware group, prompting urgent patching and stronger security measures. The article highlights affected SonicWall generations, patch timelines, and recommended mitigations to minimize exposure. #AkiraRansomware #CVE-2024-40766

Keypoints

  • CVE-2024-40766 is a critical access control vulnerability with a CVSS score of 9.3.
  • Affects management access and the SSLVPN feature of SonicWall firewalls.
  • Active exploitation reported, particularly by the Akira ransomware group.
  • Over 3.5 million SonicWall Firewall instances are exposed to the internet.
  • CISA added CVE-2024-40766 to its KEV (Known Exploited Vulnerabilities) Catalog.
  • Organizations are urged to apply patches by September 30, 2024 and follow remediation steps.
  • Recommendations include updating SonicOS firmware, enabling MFA, limiting access, and monitoring for suspicious activity.

MITRE Techniques

  • [T1078] Valid Accounts – Initial Access via SSLVPN/local accounts; “attackers targeted local accounts, which were not linked to centralized authentication solutions like Microsoft Active Directory. They took advantage of the fact that Multi-Factor Authentication (MFA) was disabled for these accounts.”
  • [T1203] Exploitation for Client Execution – Exploitation of the CVE-2024-40766 vulnerability to gain access; “attackers have actively exploited this vulnerability as an initial access vector, compromising SSLVPN user accounts on SonicWall devices.”
  • [T1068] Exploitation of Vulnerability – Privilege escalation following vulnerability exploitation; “The attackers specifically targeted local accounts…”
  • [T1486] Data Encrypted for Impact – Ransomware activity with encryption as part of the attack chain; “double extortion strategy, exfiltrating data before encrypting devices within the targeted network.”

Indicators of Compromise

  • [CVE] CVE-2024-40766 – vulnerability indicator referenced throughout the article to denote the flaw being exploited.
  • [URL] https://socradar.io/akira-ransomware-targets-sonicwall-vulnerability-cve-2024-40766-immediate-patching-required/ – source URL referenced for the vulnerability intel and context.

Read more: https://socradar.io/akira-ransomware-targets-sonicwall-vulnerability-cve-2024-40766-immediate-patching-required/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint