Akira Ransomware Group Utilizing SonicWall Devices for Initial Access
Summary:
Back in August 2024, SonicWall issued a security advisory for an improper access control vulnerability affecting Gen5, Gen6, and Gen7 firewall appliances. Tracked as CVE-2024-40766, the flaw can be exploited to gain unauthorized access to SonicWall in certain conditions. While the flaw was patched by SonicWall, researchers at Rapid7 have observed a recent campaign exploiting the vulnerability in cases where the remediation steps were not successfully implemented.
In addition to CVE-2024-40766, SonicWall has shared additional guidance for a SSLVPN Default Users Group security risk that can over provision SonicWall’s SSLVPN services based on the Default LDAP group configuration. As such, this could enable unauthorized users access to SSLVPN, regardless of Active Directory configurations.
Another security risk was also highlighted by Rapid7, this time involving the Virtual Office Portal hosted by SonicWall appliances. “The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users. The Virtual Office Portal in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure,” notes Rapid7 in its blog post.
Security Officer Comments:
According to Rapid7, Akira ransomware operators are potentially employing all three security risks mentioned above to gain unauthorized access and conduct ransomware operations. While CVE-2024-40766 acts as an initial access vector, by taking advantage of the misconfigurations in the SSLVPN Default Users Group and exploiting the publicly accessible Virtual Office portal, actors could bypass access controls in place and maintain persistence, even if the vulnerability is patched.
Suggested Corrections:
If your organization’s network infrastructure includes SonicWall devices, Rapid7 recommends the following:
https://www.rapid7.com/blog/post/dr...ilizing-sonicwall-devices-for-initial-access/
Back in August 2024, SonicWall issued a security advisory for an improper access control vulnerability affecting Gen5, Gen6, and Gen7 firewall appliances. Tracked as CVE-2024-40766, the flaw can be exploited to gain unauthorized access to SonicWall in certain conditions. While the flaw was patched by SonicWall, researchers at Rapid7 have observed a recent campaign exploiting the vulnerability in cases where the remediation steps were not successfully implemented.
In addition to CVE-2024-40766, SonicWall has shared additional guidance for a SSLVPN Default Users Group security risk that can over provision SonicWall’s SSLVPN services based on the Default LDAP group configuration. As such, this could enable unauthorized users access to SSLVPN, regardless of Active Directory configurations.
Another security risk was also highlighted by Rapid7, this time involving the Virtual Office Portal hosted by SonicWall appliances. “The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users. The Virtual Office Portal in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure,” notes Rapid7 in its blog post.
Security Officer Comments:
According to Rapid7, Akira ransomware operators are potentially employing all three security risks mentioned above to gain unauthorized access and conduct ransomware operations. While CVE-2024-40766 acts as an initial access vector, by taking advantage of the misconfigurations in the SSLVPN Default Users Group and exploiting the publicly accessible Virtual Office portal, actors could bypass access controls in place and maintain persistence, even if the vulnerability is patched.
Suggested Corrections:
If your organization’s network infrastructure includes SonicWall devices, Rapid7 recommends the following:
- Rotate passwords on all SonicWall local accounts and remove any unused or inactive SonicWall local accounts. Please reference SonicWall’s official security advisory guidance.
- Ensure Multi-factor Authentication (MFA/TOTP) policies are configured for SonicWall SSLVPN services. Please reference SonicWall’s official security guidance.
- Ensure successful mitigation of SSVPN Default Groups Security Risk. Please reference SonicWall’s official security guidance.
- Ensure the Virtual Office Portal is restricted to LAN/internal access or trusted network access only. Please reference SonicWall’s official security guidance.
- Monitor access to the Virtual Office Portal (access is on port 4433).
- Ensure all SonicWall appliances are running on the latest patch. Please reference SonicWall’s vulnerability list.
https://www.rapid7.com/blog/post/dr...ilizing-sonicwall-devices-for-initial-access/