The Akira ransomware gang is back in action, targeting enterprises by exploiting CVE-2024-40766, a critical access control flaw in SonicWall SSLVPN devices first disclosed a year ago. Despite SonicWall issuing a patch in August 2024, attackers are finding success by exploiting organizations that have not fully remediated the issue.
How CVE-2024-40766 Enables Unauthorized Network Access
CVE-2024-40766 allows attackers to gain unauthorized access to firewall resources and, in some cases, cause firewalls to crash. SonicWall warned in 2024 that simply applying the patch was not enough. Enterprises were instructed to reset passwords for locally managed SSLVPN accounts immediately after patching to prevent attackers from reusing exposed credentials.
Without this crucial password rotation step, threat actors could log in with valid credentials and configure multi-factor authentication (MFA) or time-based one-time passwords (TOTP), giving them persistent and legitimate access to corporate networks.
Akira ransomware operators were among the first to take advantage of this flaw, launching campaigns against vulnerable devices starting in September 2024.
Security Agencies Report Fresh Exploitation Campaigns
The Australian Cyber Security Centre (ACSC) issued an urgent advisory warning that the vulnerability is once again being actively exploited.
“ASD’s ACSC is aware of a recent increase in active exploitation in Australia of a 2024 critical vulnerability in SonicWall SSL VPNs (CVE-2024-40766),” the alert stated.
“We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs.”
Cybersecurity company Rapid7 also observed a resurgence in attacks, linking the activity to incomplete patching or misconfigurations. The firm highlighted common intrusion techniques, including the exploitation of the Default Users Group’s broad access permissions and the default public access setting for the Virtual Office Portal on SonicWall devices.
Industry Confusion Over Zero-Day Reports
The spike in attacks initially led to speculation that Akira was leveraging a new, unknown vulnerability. SonicWall moved quickly to clarify the situation, stating in a new advisory:
The company had “high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability” and that its investigation showed “significant correlation with threat activity related to CVE-2024-40766.”
SonicWall also disclosed that it had investigated up to 40 security incidents related to this exploitation activity last month.
Versions Impacted by CVE-2024-40766
The vulnerability affects several generations of SonicWall devices, including:
- Gen 5: SOHO devices running version 5.9.2.14-12o and older
- Gen 6: TZ, NSA, and SM models running versions 6.5.4.14-109n and older
- Gen 7: TZ and NSA models running SonicOS build version 7.0.1-5035 and older
SonicWall Recommendations for Mitigation
SonicWall is urging administrators to take immediate action to secure their environments. Recommended steps include:
- Updating firmware to version 7.3.0 or later
- Rotating all passwords for locally managed SSLVPN accounts
- Enforcing multi-factor authentication (MFA) for all accounts
- Restricting Virtual Office Portal access to trusted or internal networks
- Reviewing and mitigating the risks associated with SSLVPN Default Groups
These measures are designed to ensure attackers cannot reuse old credentials or take advantage of overly permissive access controls to gain a foothold in enterprise environments.
