CISA says SonicWall bug being exploited as experts warn of ransomware gang use

Avatar
Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.

Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.

The Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that hackers are exploiting CVE-2024-40766 — a vulnerability affecting SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

SonicWall said in its own advisory that the vulnerability allows “unauthorized resource access” and in some situations can cause the firewall to crash. They have also confirmed that it is being exploited by hackers and said patches have been released. 

For those unable to patch, SonicWall urged customers to ensure that access to the devices is limited or restricted from internet access. SonicWall gave the vulnerability a severity score of 9.3 out of 10.

The CISA warning comes days after researchers at Arctic Wolf said it observed hackers connected to the Akira ransomware gang exploiting the vulnerability. 

CISA itself said it did not know if ransomware groups are exploiting the bug but Rapid7 confirmed on Monday that it has also seen ransomware actors exploiting it. 

Arctic Wolf researchers saw affiliates of the group using compromised accounts on SonicWall devices as the initial access vector to carry out ransomware attacks. 

“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” said Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf.

“Additionally, [multifactor authentication] was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”

Akira — responsible for attacks on Stanford University, cloud service Tietoevry and Yamaha — earned about $42 million in ransoms from attacks on at least 250 organizations since emerging in March 2023, according to the FBI

The large number of attacks launched by the group led experts to believe it is made up of experienced actors and previous reports from Akira showed links between the gang and the now-defunct ransomware gang Conti.

CybercrimeGovernmentIndustryNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Houston Technology Summit 2024

Next Post

Data of nearly 300,000 exposed in Avis cyberattack

Related Posts

SEC Charges 4 Companies Over Misleading SolarWinds Cyberattack Disclosures

The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The SEC said the companies – Avaya, Check Point, Mimecast, and Unisys – are being penalized for how they handled the disclosure process in the aftermath of
Avatar
Read More

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
Avatar
Read More

FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information. Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire
Avatar
Read More