A ransomware operation has discovered it can target large corporations by going after network security devices pitched to smaller enterprises.
The market for SonicWall SSL VPN devices tends to be small- and medium-sized firms – but when those businesses are bought by larger businesses, the devices suddenly are part of a network worth real money to hackers.
SonicWall devices are nonetheless popular for their ease of deployment and remote access features. It’s a combination also prized by hackers for the Akira ransomware-as-a-service operation, which the group spent this summer popping overlooked devices folded into large corporations.
“This isn’t just the usual story of hidden technologies slipping through the cracks during M&A. These attacks were part of a deliberate and targeted campaign against SonicWall devices, which are rare in larger organizations but common in smaller ones,”as per report from cybersecurity firm ReliaQuest.
Experts urge acquiring organizations to build a complete asset inventory of any IT gear they’re absorbing, and to keep it secured.
ReliaQuest analysis of every Akira attack from June through October that affected large organizations showed that attackers gained initial access by exploiting a SonicWall vulnerability.
From there, they searched for existing privileged accounts such as administrator logins or previous managed service provider credentials. “Crucially, these credentials were often unknown to the acquiring company, and left unmonitored and unrotated post-acquisition.”
Using administrator accounts can facilitate rapid attacks, with the firm finding threat actors spent on average only 9.3 hours proceeding from initial access, to exploiting legacy admin credentials, to gaining access to a domain controller and unleashing cryptolocking Akira malware.
The fastest such attack unfolded in just five hours.
It isn’t clear whether Akira is following firms that recently underwent a mergers or acquisition process or if the victimology is more happenstance.
ReliaQuest’s report didn’t detail which SonicWall SSL VPN vulnerabilities Akira-wielding attackers targeted. But its alert follows cybersecurity firm Rapid7 in September warning that attackers tied to Akira had resumed targeting CVE-2024-40766, an improper access control vulnerability in SonicWall SonicOS, which facilitates remote code execution leading to full device compromise.
SonicWall patched the flaw in its Gen 5, Gen 6 and Gen 7 firewalls in August 2024, but many devices remain vulnerable. This includes end-of-life gear for which patches are no longer being published, which remains in use.
Akira first began exploiting CVE-2024-40766 in campaigns lasting from roughly September to December 2024, although it wasn’t unique in doing so, since hackers for the Fog ransomware group also favored this vulnerability.
A second surge in Akira attacks targeting the flaw began this past summer, running from late July through at least September and amassing victims across numerous industries, suggesting “opportunistic mass exploitation rather than targeted intrusions,” reported cybersecurity firm Arctic Wolf.
Security experts warned that even fully patched devices running the latest firmware have been compromised, apparently because administrators neglected to rotate credentials, even when the devices were configured to require one-time passwords.
SonicWall recommended access control hardening. “To minimize potential impact, we recommend restricting firewall management to trusted sources or disabling firewall WAN management from internet access. Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the internet.”
(Source: Databreachtoday)
