Over the past week, a large number of attacks by the ransomware
group Akira have been reported, where the initial attack vector
seems to be SonicWall firewalls (Gen 7 and newer) with SSLVPN
enabled. Yesterday, SonicWall issued updated guidance on the activity. The guidance
states that SonicWall believes this activity is not connected to a
zero-day vulnerability, but is rather associated with a previously
reported vulnerability, CVE-2024-40766, addressed in
SonicWall's public advisory SNWLID-2024-0015.
The guidance goes on to "strongly urge" SonicWall
customers to employ the following measures:
- Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional multi-factor authentication (MFA) controls. SonicWall has provided a firmware update guide.
- Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
- Continue applying the previously recommended best
practices:
- Enable Botnet Protection and Geo-IP Filtering.
- Remove unused or inactive user accounts.
- Enforce MFA and strong password policies.
Previously, on August 4, SonicWall had recommended the following:
- Disable SSLVPN services where practical.
- Limit SSLVPN connectivity to trusted source IPs.
- Enable security services.
- Activate services such as Botnet Protection and Geo-IP Filtering.
- These help detect and block known threat actors targeting SSLVPN endpoints.
- Enforce MFA.
- Enable MFA for all remote access to reduce the risk of credential abuse.
- Remove unused accounts.
- Delete any inactive or unused local user accounts on the firewall
- Pay special attention to those with SSLVPN access.
- Practice good password hygiene.
- Encourage regular password updates across all user accounts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
