CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Ransomware

Akira Ransomware Attacks Fuel Uptick in Exploitation of SonicWall Flaw

The Akira ransomware group is likely exploiting a combination of three attack vectors to gain unauthorized access to vulnerable appliances. The post Akira Ransomware Attacks Fuel Uptick in Exploitation of SonicWall Flaw appeared first on SecurityWeek.

SonicWall vulnerability

The Akira ransomware group has been exploiting a year-old vulnerability in SonicWall firewalls in a fresh round of attacks, potentially combining three attack vectors for initial access, Rapid7 warns.

The targeted flaw, tracked as CVE-2024-40766 (CVSS score of 9.3), is described as an improper access control issue that could allow attackers to access restricted resources and crash the firewall in certain conditions.

Exploitation of the bug was observed shortly after SonicWall published its advisory in August 2024. The company updated the initial information to provide additional mitigation recommendations.

“SonicWall strongly recommends that all users of Gen5 and Gen6 firewalls with locally managed SSLVPN accounts immediately update their passwords to enhance security and prevent unauthorized access. Administrators must enable the ‘User must change password’ option for each local account,” the company said.

Last month, security researchers warned of a potential zero-day exploitation after a fresh wave of attacks hit SonicWall appliances, but the vendor linked the intrusions to CVE-2024-40766.

Now, Rapid7 says it has observed a surge in the exploitation of vulnerable SonicWall firewalls, fueled by the August attack campaign, which was attributed to the Akira ransomware group.

According to the cybersecurity firm, however, the year-old vulnerability might be only one of the attack vectors employed by Akira as part of this campaign.

The SSLVPN Default Users Group, a security risk allowing users to obtain access to the SSLVPN even if they are not allowed to, could have also been exploited.

Additionally, the attackers might have been accessing the Virtual Office Portal on SonicWall appliances, which may be configured for public access.

“Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” the cybersecurity firm notes.

Active since at least 2023, the Akira ransomware gang targets edge devices for initial access, escalates privileges, steals sensitive files and data, erases backups, and deploys file-encrypting ransomware at the hypervisor level.

Organizations are advised to apply the patches released by SonicWall as soon as possible, to apply all the mitigations recommended by the vendor, rotate the passwords for all SonicWall accounts, ensure MFA is enabled for SSLVPN services, mitigate the SSLVPN Default Groups security risk, and restrict access to the Virtual Office Portal.

Related: US Offers $10 Million Reward for Ukrainian Ransomware Operator

Related: Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations

Related: Webinar on Demand: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks

Related: Google DeepMind Unveils Defense Against Indirect Prompt Injection Attacks

Latest News

CYBERNEWSMEDIAPublisher