Attackers Exploit SonicWall Vulnerability to Deploy Akira Ransomware

SonicWall has been investigating a surge in Akira ransomware attacks targeting its Gen 7 firewalls where SSLVPN is enabled. Multiple incidents have been reported both internally and externally, prompting SonicWall to post guidance for users to disable SSLVPNs where possible, limit SSLVPN access to trusted IPs, enforce MFA, update passwords, and remove inactive accounts. While disabling VPNs may not be feasible for all users, the network security company recommends initiating incident response measures immediately.

Security researchers have actively observed attackers exploiting SonicWall firewalls to access networks, pivoting quickly to domain controllers, disabling Microsoft Defender, and deploying Akira ransomware. The attacks, beginning in late July, have involved tools like AnyDesk, ScreenConnect, and SSH. All confirmed incidents are linked to Akira, with some attackers failing to encrypt systems but gaining unauthorized access.

SonicWall has investigated incidents related to this activity and found that many of the incidents are related to migrations from Gen 6 to Gen 7 firewalls without resetting the local user passwords, a crucial recommended action as part of CVE-2024-40766.

Furthermore, the company pointed out that SonicOS 7.3 has additional protection against brute-force password and multi-factor authentication (MFA) attacks. The updated guidance offered by SonicWall is as follows:

• Update firmware to SonicOS version 7.3.0

• Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7

• Enable Botnet Protection and Geo-IP Filtering

• Enforce MFA and strong password policies

• Remove unused or inactive user accounts

The latest updates on the attacks further reveal that Akira affiliates use a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting Windows drivers like rwdrv.sys and hlpdrv.sys to disable antivirus protection. These drivers enable attackers to manipulate Windows Defender settings and achieve kernel-level access. Additionally, Akira threat actors use SEO poisoning to lure IT professionals to trojanized installers, which deploy Bumblebee malware, enabling remote access, credential theft, and eventual ransomware deployment.

Since emerging in March 2023, Akira has compromised over 250 victims and extorted an estimated $42 million through targeted ransomware campaigns.

Key Takeaways

Enabling MFA is required for all remote access technologies. Security software and security appliances need to be updated regularly as vendors release new versions of software and firmware. Also using the proper vendor prescribed procedures need to be followed when updating the software and security appliances.

End users should not be able to download and install software like VPN connectivity software. Clearly, if IT professionals could be fooled to download trojanized installers, end users will be as well. If UTM firewalls are deployed and have TLS inspection and modern antimalware scanning technologies enabled, these threats could be caught and remediated. On computers next generation antivirus should be deployed to help detect this type of malware as well.

Adoption of Secure Access Service Edge (SASE) solutions should be taking the place of VPN to deliver security functions on computers that are not behind firewalls. This could eliminate the need for VPN software in most cases. It would also provide seamless integration to cloud and on premise services while providing security services such as Zero Trust Network Access (ZTNA), Secure Web Gateways (SWG), Firewall-as-a-Service (FWaaS), and Cloud Access Security Brokers (CASB) to provide consistent and scalable security for users, devices, and applications wherever they are.