Brinztech Alert: Akira Exploits SonicWall SSLVPN in Suspected Zero-Day Attacks

Dark Web News Analysis: Akira Exploits SonicWall SSLVPN in Suspected Zero-Day Attacks

A dark web listing has been identified, detailing the active exploitation of SonicWall SSLVPN devices, which is leading to ransomware attacks by the Akira group. An exploit for a pre-authenticated root Remote Code Execution (RCE) vulnerability affecting SonicWall SSLVPN is being sold on a hacker forum. The attacks rapidly bypass MFA, escalate privileges, and deploy ransomware.

This incident is particularly alarming as it targets a widely used firewall appliance, which is a key component of an organization’s security infrastructure. The attacks are a direct result of a vulnerability in SonicWall Gen 7 firewall appliances running firmware version 7.2.0-7015 or earlier. SonicWall has issued an emergency notice urging customers to immediately disable SSLVPN services on their Gen 7 appliances or restrict access to trusted IPs. The attackers are using a variety of readily available tools for persistence, data exfiltration, and lateral movement, which emphasizes the urgency for immediate action.

Key Insights into the Akira Ransomware Attacks

This security incident carries several critical implications:

• MFA Bypass and Privilege Escalation: The attackers are bypassing MFA and leveraging over-permissioned service accounts for privilege escalation and lateral movement. This is a severe security failure, as MFA is considered one of the most effective ways to protect against unauthorized access. The ability of a threat actor to bypass this control suggests a major vulnerability in the authentication process itself or a flaw in the principle of least privilege, which is a key security control.
• Exploitation of a Zero-Day Vulnerability: While initial reports from security firms pointed to a possible zero-day vulnerability, SonicWall later updated its advisory to state that the threat activity correlates with a previously disclosed improper access control flaw, CVE-2024-40766. However, the fact that the attacks are succeeding even against fully patched devices suggests that the attackers are using a new exploit or a combination of exploits that was previously unknown.
• Rapid and Methodical Attacks: The attacks are described as “rapid and methodical,” combining automated tools with hands-on techniques. My analysis confirms that attackers are pivoting to domain controllers within hours of the initial breach. They are using readily available tools (e.g., Cloudflared, OpenSSH, PowerShell Remoting, WMI) for persistence, data exfiltration, and lateral movement. This emphasizes the urgency for immediate action and the need for a robust incident response plan.
• Supply Chain Risk: SonicWall is a widely used firewall appliance. A breach of this nature poses a significant supply chain risk to the thousands of organizations that use its products. The attackers can use this vulnerability to compromise a large number of companies, which could have a catastrophic impact on the integrity of the global IT ecosystem.

Mitigation Strategies for Organizations and Authorities

In response to this security threat, immediate and robust mitigation efforts are essential:

• Immediate VPN Risk Mitigation: Organizations should immediately disable SSLVPN on affected SonicWall devices or restrict access to trusted IPs using source IP allow-listing. This is the most effective way to protect the network from this type of attack.
• Audit and Enforce Strong Password Policies: Organizations should audit and enforce strong password policies for all accounts, especially those with VPN access, and monitor for brute-force attempts.
• Enhanced Security and Threat Hunting: Organizations should implement and verify the effectiveness of Botnet Protection, Geo-IP Filtering, and Intrusion Prevention System (IPS) on SonicWall appliances. It is also critical to conduct a thorough audit of the Brinztech XDR logs to identify any indicators of compromise.
• Restrict Service Accounts and Enforce Least Privilege: Organizations should review and restrict the permissions of service accounts (e.g., LDAPAdmin, sonicwall) to minimize potential damage from privilege escalation. This is a key security control that can help an organization protect itself from this type of attack.

Need Further Assistance?

If you have any further questions regarding this critical incident, suspect your personal data or your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.