Full Report
A recent wave of attacks targeting SonicWall customers has researchers and authorities on alert. Many victim organizations had misconfigurations in their systems. The post SonicWall firewalls targeted by fresh Akira ransomware surge appeared first on CyberScoop.
Analysis Summary
# Incident Report: Surge in Akira Ransomware Exploiting SonicWall Firewalls
## Executive Summary
A recent surge of Akira ransomware attacks has been detected targeting SonicWall firewall appliances, primarily exploiting the publicly disclosed vulnerability CVE-2024-40766 in the SSL VPN protocol. The key enabling factor, in many cases, was the failure of victim organizations to perform required remediation steps, such as resetting local passwords, even after patching the initial vulnerability. This led to unauthorized access, data theft, and system encryption by the Akira group.
## Incident Details
- **Discovery Date:** Mid-July (Initial burst observed) / Ongoing detection as of latest reporting (September 12, 2025).
- **Incident Date:** Attacks observed starting mid-July through early August, with a subsequent wave noted later.
- **Affected Organization:** Multiple customers utilizing SonicWall SSL VPNs (specific organizations not named, several "double-digit" numbers of attacks reported by Rapid7).
- **Sector:** Unspecified, targeting "organizations" generally.
- **Geography:** Mention of the Australian Cyber Security Centre responding to attacks, suggesting multi-national impact.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting mid-July 2025 onwards.
- **Vector:** Exploitation of SonicWall SSL VPN vulnerability, **CVE-2024-40766**.
- **Details:** Attackers leveraged the unpatched/improperly configured vulnerability. Crucially, in many instances, the firewall software *was* patched for the CVE, but victims failed to reset local passwords, allowing attackers to use legacy credentials.
### Lateral Movement
- **Date/Time:** Post-Initial Access (Implied).
- **Vector:** Attacks involved accessing the **virtual office portal** on SonicWall devices, likely to identify users lacking MFA or obtain valid credentials. Additionally, attackers abused **default Lightweight Directory Access Protocol (LDAP) group configurations**, which resulted in overprovisioned access to SSL VPN services.
### Data Exfiltration/Impact
- **Date/Time:** Post-Establishment of Presence.
- **Vector:** Akira ransomware typically steals data *and* encrypts systems before extorting victims (double extortion).
- **Details:** The objective included data theft and subsequent encryption of victim systems.
### Detection & Response
- **Date/Time:** Detection varied; researchers observed attacks since July.
- **Vector:** Incidents were reported to and responded to by third-party security firms like Rapid7 and noted by governmental agencies like the ACSC.
- **Details:** Response teams identified misconfigurations as a primary attack enabler, even when the core patch for CVE-2024-40766 was applied.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2024-40766** via SonicWall SSL VPNs, often succeeding due to **un-reset local passwords** post-patching.
- **Persistence:** Not explicitly detailed, but typical ransomware operations would involve establishing new backdoors or maintaining access via compromised OS/AD accounts.
- **Privilege Escalation:** Not explicitly detailed, but abuse of default **LDAP group configurations** served to significantly broaden access rights upon initial connection.
- **Defense Evasion:** Not explicitly detailed, but reliance on a year-old, already disclosed vulnerability suggests an evasion strategy targeting organizations with poor patch and post-patch configuration management.
- **Credential Access:** Attacks on the **virtual office portal** suggest enumeration for accounts lacking MFA or leveraging previously stolen/weak credentials.
- **Discovery:** Utilizing access gained via the VPN, attackers likely performed internal reconnaissance.
- **Lateral Movement:** Enabled by overprovisioned access rights derived from misconfigured LDAP settings.
- **Collection:** Data gathering tactics typical of Akira ransomware operations (steal data before encryption).
- **Exfiltration:** Standard ransomware exfiltration methods (unspecified).
- **Impact:** System encryption via **Akira Ransomware**.
## Impact Assessment
- **Financial:** Not quantified, but prior Akira campaigns resulted in approximately $42 million in extortion payments across 250+ organizations (March 2023 - Jan 2024).
- **Data Breach:** Data theft is a standard component of this operation (double extortion).
- **Operational:** System encryption leads to significant business disruption.
- **Reputational:** Increased scrutiny on organizations using SonicWall products and poor security hygiene.
## Indicators of Compromise
- **Network indicators:** Attempts to connect to vulnerable SonicWall SSL VPN endpoints. Specific IP addresses or domains were not provided (URLs/IPs must be defanged).
- **File indicators:** Akira Ransomware payload execution (specific hashes not provided).
- **Behavioral indicators:** Lateral movement patterns following exploitation of default LDAP group permissions; unusual activity originating from SSL VPN users.
## Response Actions
- **Containment:** Immediate segmentation/disabling of vulnerable VPN access points that show signs of exploitation.
- **Eradication:** Resetting all local passwords on SonicWall devices, reviewing and hardening LDAP group policies (specifically targeting default or over-permissive VPN access groups).
- **Recovery:** Restoring encrypted systems, post-incident forensic analysis, and ensuring the base patch for **CVE-2024-40766** is universally applied and validated.
## Lessons Learned
- **Key Takeaways:** Patching a vulnerability is insufficient; organizations must complete all recommended follow-up remediation actions (e.g., password resets, configuration hardening).
- **What could have been done better:** Victims failed to secure default configurations (especially related to LDAP/VPN access) even after installing security patches.
## Recommendations
- Immediately review and enforce strong password policies for all administrative and VPN accounts, especially following major vendor patches.
- Audit all LDAP configurations linked to VPN services to ensure the principle of least privilege is strictly enforced, removing any overly permissive default group mappings.
- Implement robust Multifactor Authentication (MFA) across all remote access services, including SonicWall SSL VPNs.
- Maintain prompt application of vendor security guidance, recognizing that initial patches often require subsequent configuration changes to fully negate the threat.