skip navigation
skip mega-menu

Security Bulletin: Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts

On August 22, 2024, a remote code execution vulnerability (CVE-2024-40766) was disclosed in SonicOS, affecting a selection of SonicWall firewall devices. At the time of disclosure, active exploitation was not known and no proof-of-concept exploit was publicly available. As of September 6, 2024, however, the security advisory has been updated with additional details, indicating that the vulnerability is potentially being actively exploited. Additionally, the advisory expanded the scope of the vulnerability to include both management access and local SSLVPN accounts.

In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices. In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.

Arctic Wolf strongly recommends that organizations running affected SonicWall products upgrade to the latest supported SonicOS firmware versions as soon as possible. Additionally, as recommended by SonicWall, MFA should be enabled for all locally-managed SSLVPN accounts.


Arctic Wolf strongly recommends upgrading SonicOS to the latest supported version on affected SonicWall devices. 

Apply the patch as soon as possible for impacted products, latest patch builds are available for download on mysonicwall.com

Devices

Affected Versions

Fixed Versions

SOHO (Gen 5) Firewalls

SonicOS 5.9.2.14-12o and older versions

5.9.2.14-13o

Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, 

NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, 

SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W

SonicOS 6.5.4.14-109n and older versions

6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) 

6.5.4.15.116n (for other Gen6 Firewall appliances)

Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, 

TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700

SonicOS build version 7.0.1-5035 and older versions. 

Note: This vulnerability is not reproducible in SonicOS firmware versions higher than 7.0.1-5035, however SonicWall recommends you install the latest firmware.

7.0.1-5072

Reset all SSLVPN account passwords for locally-managed accounts
In accordance with SonicWall’s advisory, Arctic Wolf recommends that all users of Gen5 and Gen6 devices update their passwords to prevent unauthorized access. Administrators must manually enable the "User must change password" option for each account so that users can reset their passwords. 

Additionally, if the same passwords are used in Active Directory or another centralized authentication solution, please ensure that users also update their passwords in those locations to avoid future exploitation of those accounts in future attacks (such as ransomware). 

For GEN5 Firewalls

Navigate to Users > Local Users. For more details, please refer to pages 1340 and 1341 of the SonicOS 5.9 Administrators Guide, titled "Managing Users and Authentication Settings." 

Details: SonicOS 5.9 Administrators Guide

For GEN6 Firewalls

Navigate to MANAGE | System Setup > Users > Local Users & Groups. For more details, please refer to pages 227 and 228 of the SonicOS 6.5 System Setup Administration Guide, titled "Configuring Local Users Settings." 

Details: SonicOS 6.5 System Setup Administration Guide
Enable MFA for all local SSLVPN accounts 
SonicWall recommends that MFA is enabled for all locally-managed SSLVPN accounts. 

For more details on how to implement this type of configuration, see the following article: http://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169

Subscribe to our newsletter

Sign up here