SonicWall SSLVPN Exploitation ‘Ongoing’ By Ransomware Group: Researchers

The Akira cybercriminal group is believed to be behind a resurgence in attacks exploiting a vulnerability that impacts certain SonicWall firewalls with SSLVPN enabled, according to researchers at Rapid7.

The Akira cybercriminal group is believed to be behind a resurgence in ransomware attacks exploiting a previously disclosed vulnerability impacting certain SonicWall firewalls, according to researchers at Rapid7.

The attacks are exploiting a critical-severity vulnerability (tracked as CVE-2024-40766), initially disclosed in August 2024, which can be utilized to gain improper access to SonicWall firewall appliances with SSLVPN enabled. The affected devices are SonicWall Gen 5, Gen 6 and Gen 7 firewalls, researchers at cybersecurity vendor Rapid7 noted in a post Wednesday.

“Rapid7 has observed this ongoing campaign targeting SonicWall devices to be consistent with previous activity attributed to Akira,” the Rapid7 researchers said.

CRN has reached out to SonicWall for comment.

The latest ransomware activity indicates that Akira has resumed its attacks that had previously been reported by security researchers in early August, according to Rapid7 researchers.

At the time, SonicWall said that reports from researchers suggesting a zero-day flaw was being exploited were incorrect, and that the attacks were exploiting the 2024 vulnerability.

In a statement provided to CRN on Aug. 7, SonicWall said the conclusion that the issue is “not a new zero-day or unknown vulnerability” was reached after the vendor “thoroughly investigated” the incidents.

In addition, “the affected population is small, fewer than 40 confirmed cases, and appears to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls,” the vendor said in the statement at the time. “We’ve issued updated guidance, including steps to change credentials and upgrade to SonicOS 7.3.0, which includes enhanced MFA protections.”