Akira Ransomware Actively Exploiting SonicWall firewall RCE Vulnerability


SonicWall disclosed a critical remote code execution vulnerability (CVE-2024-40766) in SonicOS on August 22nd, 2024.

While no active exploitation was initially confirmed, the advisory was updated on September 6th to indicate potential active attacks. 

The vulnerability, affecting both management access and local SSLVPN accounts, allows attackers to execute arbitrary code on vulnerable devices, which could lead to complete compromise, including data theft, network disruption, and further malicious activities.

– Advertisement –
EHA

Recent attacks by Akira ransomware affiliates exploited vulnerabilities in SonicWall SSLVPN devices where the attackers compromised local accounts on these devices, which lacked MFA, and used them to gain unauthorized access.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The affected devices were running vulnerable SonicOS firmware versions. To mitigate this risk, organizations should immediately upgrade to the latest SonicOS firmware and enable MFA for all local SSLVPN accounts.

The SonicOS firmware for various SonicWall firewalls, including SOHO (Gen 5), Gen 6, and others, contains vulnerabilities that could be exploited by malicious actors existing in older versions of SonicOS 5.9.2 and 6.5.4. 

SonicWall has released updated firmware versions (5.9.2.14-13o and 6.5.2.8-2n/6.5.4.15.116n) to address these security issues, and it is strongly recommended that users of these firewalls update their firmware to the latest version to protect their systems from potential attacks.

They had identified a security vulnerability in their Gen7 Firewalls running SonicOS versions 7.0.1-5035 and older, which could potentially allow an unauthorized attacker to gain unauthorized access to the firewall’s management interface. 

It has been recommended that users of these firewalls update to the latest SonicOS firmware version, 7.0.1-5072 or later, to mitigate this risk, which is not present in SonicOS versions higher than 7.0.1-5035.

It has been advised users of Gen5 and Gen6 devices to reset their SSLVPN account passwords to prevent unauthorized access. 

To comply with this recommendation, administrators should manually enable the “User must change password” option for all locally managed accounts, which will force users to reset their passwords upon their next login. 

Suppose the same passwords are used in Active Directory or other centralized authentication solutions. In that case, administrators should ensure that users update their passwords in those locations as well to prevent potential future attacks.

To enable multi-factor authentication (MFA) for all local SSLVPN accounts on SonicWall firewalls, navigate to Users > Local Users for GEN5 firewalls or MANAGE | System Setup > Users > Local Users & Groups for GEN6 firewalls. 

According to Arctic Wolf, SonicWall recommends enabling MFA for all locally managed SSLVPN accounts to enhance security. 

To mitigate security risks, it advises disabling WAN management and SSLVPN access from the internet, which prevents remote configuration changes and SSLVPN connections from untrusted sources by significantly reducing the likelihood of unauthorized access and potential cyberattacks.

Download Free Incident Response Plan Template for Your Security Team – Free Download



Source link