CISA says SonicWall bug being exploited as experts warn of ransomware gang use

Avatar
Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.

Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.

The Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that hackers are exploiting CVE-2024-40766 — a vulnerability affecting SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

SonicWall said in its own advisory that the vulnerability allows “unauthorized resource access” and in some situations can cause the firewall to crash. They have also confirmed that it is being exploited by hackers and said patches have been released. 

For those unable to patch, SonicWall urged customers to ensure that access to the devices is limited or restricted from internet access. SonicWall gave the vulnerability a severity score of 9.3 out of 10.

The CISA warning comes days after researchers at Arctic Wolf said it observed hackers connected to the Akira ransomware gang exploiting the vulnerability. 

CISA itself said it did not know if ransomware groups are exploiting the bug but Rapid7 confirmed on Monday that it has also seen ransomware actors exploiting it. 

Arctic Wolf researchers saw affiliates of the group using compromised accounts on SonicWall devices as the initial access vector to carry out ransomware attacks. 

“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” said Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf.

“Additionally, [multifactor authentication] was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”

Akira — responsible for attacks on Stanford University, cloud service Tietoevry and Yamaha — earned about $42 million in ransoms from attacks on at least 250 organizations since emerging in March 2023, according to the FBI

The large number of attacks launched by the group led experts to believe it is made up of experienced actors and previous reports from Akira showed links between the gang and the now-defunct ransomware gang Conti.

CybercrimeGovernmentIndustryNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Houston Technology Summit 2024

Next Post

Data of nearly 300,000 exposed in Avis cyberattack

Related Posts

PyPI Python Library “aiocpa” Found Exfiltrating Crypto Keys via Telegram Bot

The administrators of the Python Package Index (PyPI) repository have quarantined the package "aiocpa" following a new update that included malicious code to exfiltrate private keys via Telegram. The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date. By putting the
Avatar
Read More

Researchers Sound Alarm on Active Attacks Exploiting Critical Zimbra Postjournal Flaw

Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration. Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in Zimbra's postjournal service that could enable unauthenticated attackers to
Avatar
Read More