{"id":14777,"date":"2025-09-12T01:38:00","date_gmt":"2025-09-12T01:38:00","guid":{"rendered":"https:\/\/newestek.com\/?p=14777"},"modified":"2025-09-12T01:38:00","modified_gmt":"2025-09-12T01:38:00","slug":"ransomware-gang-going-after-improperly-patched-sonicwall-firewalls","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14777","title":{"rendered":"Ransomware gang going after improperly patched SonicWall firewalls"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Vulnerable SonicWall firewalls that should have been patched a year ago for an access control vulnerability are being hacked by a\u00a0ransomware\u00a0gang, Australia\u2019s cybersecurity authorities warned this week.<\/p>\n

The Australian Cyber Security Centre is seeing an increase in active exploitation<\/a> in that country of a 2024 critical vulnerability in SonicWall firewalls with SSL VPN enabled. \u201cWe are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,\u201d the warning said.<\/p>\n

CVE-2024-40766<\/a>, patched just over a year ago, is an improper access control vulnerability in SonicWall SonicOS management system access. It can lead to unauthorized resource access and, in specific conditions, crashing of the firewall. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.\u00a0<\/p>\n

\u201cOrganizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware,\u201d the Australian alert stressed.<\/p>\n

Researchers at Rapid7 also issued a report<\/a> this week saying its incident response team \u201chas observed an uptick in intrusions involving SonicWall appliances.\u201d\u00a0<\/p>\n

\u201cWe now have high confidence that the recent SSLVPN activity is\u00a0not\u00a0connected to a zero-day vulnerability,\u201d it added. \u201cInstead, there is a significant correlation with threat activity related to CVE-2024-40766.\u201d<\/p>\n

These alerts follow an August notice from SonicWall<\/a> that it was investigating \u201cless than 40 incidents related to Gen 7 and newer firewalls with SSLVPN enabled.\u201d<\/p>\n

\u201cMany of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset,\u201d SonicWall said. \u00a0\u201cResetting passwords was a critical step outlined in the\u00a0original advisory<\/a>.\u201d<\/p>\n

This isn\u2019t just an attack on Australia, Alan Liska<\/a>, a member of the field security response team at cybersecurity provider Recorded Future, said in an interview.<\/p>\n

\u201cThe first reporting we\u2019ve seen of Akira exploiting this SSL VPN goes back to at least January and maybe a little bit earlier\u201d in the US and the UK, he said.<\/p>\n

An affiliate of the Akira ransomware-as-a-service gang is behind it, he added.<\/p>\n

Unfortunately, Liska said, SonicWall devices tend to be hosted by smaller organizations where there may not be a dedicated IT or security team overseeing patching. \u201cOne of the reasons why ransomware actors have had so much success against VPNs is they tend to be unpatched much longer than other systems.\u201d<\/p>\n

In this case, not only did the patch have to be installed, but the admin user password has to be changed immediately after, he said.<\/p>\n

According to researchers at Veeam<\/a>, \u201c[Akira ransomware] has cemented its reputation as one of the most relentless and disruptive cyber threats affecting organizations today. Akira has held the number one spot for six straight quarters in Coveware by Veeam\u2019s case data, and in 2024, it was responsible for 14% of all ransomware incidents.\u201d Typically, the report added, gang members gain entry to an IT network, using stolen credentials, through exposed remote access services like VPNs and Windows RDP. After that, they copy data for use in extortion, and then go after VMware ESXi servers to encrypt data.<\/p>\n

Robert Beggs<\/a>, who heads the Canadian incident response firm Digital Defence, believes the Akira ransomware gang has developed an automated system for detecting and exploiting unpatched SonicWall firewalls.<\/p>\n

\u2018It is not unusual for an attacker to wait for the dust to settle before targeting a reported vulnerability,\u201d he added. \u201cCompanies that fail to patch a known vulnerability in an edge security product such as SonicWall VPN generally have poor cyber security overall, and will make a good target.\u201d<\/p>\n

Recorded Future\u2019s Liska advised CISOs and IT leaders with SonicWall firewalls in their IT environments to make sure the devices are fully patched and the latest version of SonicOS is running, and to rotate the admin password. The Canadian Centre for Cyber Security added<\/a> that changing admin passwords is\u00a0especially important if they were carried over during migration from Gen 6 to Gen 7. Customers should also consider limiting the number of people who have VPN access.<\/p>\n

To lower the odds of being victimized by ransomware, Liska, who is also a member of the Institute for Security and Technology (IST) Ransomware Task Force, said organizations should:<\/p>\n