Over a year after SonicWall patched CVE-2024-40766, a critical flaw in its next-gen firewalls, ransomware attackers are still gaining a foothold in organizations by exploiting it.
Like last September and earlier this year, the attackers are affiliates of the Akira ransomware-as-a-service outfit.
The July 2025 surge in attacks was, according to SonicWall, facilitated by the fact that organizations has migrated from Gen 6 to Gen 7 firewalls but did not reset local user passwords (as advised by the firewall maker).
This time around, Akira affiliates are also leveraging other firewall-related “tricks”.
“Since [early August 2025], the Rapid7 Incident Response team has observed an uptick in intrusions involving SonicWall appliances,” Rapid7 has shared on Wednesday, and said that evidence they collected suggests that the Akira group might be using a combination of three separate security risks to gain unauthorized access and conduct ransomware operations.
The first one is CVE-2024-40766, still unpatched on some systems.
The second one stems from a misconfiguration in the device’s SSLVPN Default Users Group setting.
“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions,” SonicWall explains.
“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.”
The third one is the Virtual Office Portal hosted by SonicWall appliances, which the attackers have been accessing and using to configure MFA/TOTP on previously compromised user accounts.
What to do?
The Australian Cyber Security Centre has also warned about an recent uptick in Akira attacks agains vulerable Australian organizations via CVE-2024-40766.
According to Rapid7’s responders, the group’s affiliates continued with their tried and true modus operandi: they dain intial access via the SSLVPN component, escalate privileges to an elevated account or service account, find and exfiltrate sensitive files from network shares or file servers, delete and/or stop backups, and finally deploy the ransomware at the hypervisor level.
Organizations using SonicWall firewalls should rotate passwords on all SonicWall local accounts and remove those that are unused and configure MFA/TOTP policies for SonicWall SSLVPN services, Rapid7 advises.
They should also:
- Set the Default LDAP User Group to “None”
- Make sure that the Virtual Office Portal is only accessible from trusted (local) networks and monitor access to it
- Ensure all SonicWall appliances are running on the latest patch
As noted by SonicWall last month, the recently released SonicOS version 7.3.0 also includes enhanced protections against brute force attacks and additional MFA controls.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
