Ransomware group Akira is believed to be behind a large number of attacks that appear to be tied to SonicWall firewalls with SSLVPN enabled.
Over the past week, a large number of attacks by the ransomware group Akira have been reported, where the initial attack vector seems to be SonicWall firewalls (Gen 7 and newer) with SSLVPN enabled. This week, SonicWall issued updated guidance on the activity. The guidance states that SonicWall believes this activity is not connected to a zero-day vulnerability, but is rather associated with a previously reported vulnerability, CVE-2024-40766, addressed in SonicWall’s public advisory SNWLID-2024-0015.
The guidance goes on to “strongly urge” SonicWall customers to employ the following measures:
- Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional multi-factor authentication (MFA) controls. SonicWall has provided a firmware update guide.
- Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
- Continue applying the previously recommended best practices:
Previously, on August 4, SonicWall had recommended the following:
- Disable SSLVPN services where practical
- Limit SSLVPN connectivity to trusted source IPs
- Enable security services
- Activate services such as Botnet Protection and Geo-IP Filtering.
- These help detect and block known threat actors targeting SSLVPN endpoints.
- Enforce MFA
- Enable MFA for all remote access to reduce the risk of credential abuse.
- Remove unused accounts
- Delete any inactive or unused local user accounts on the firewall.
- Pay special attention to those with SSLVPN access.
- Practice good password hygiene
- Encourage regular password updates across all user accounts.