CISA says SonicWall bug being exploited as experts warn of ransomware gang use

Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month.

The Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that hackers are exploiting CVE-2024-40766 — a vulnerability affecting SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

SonicWall said in its own advisory that the vulnerability allows “unauthorized resource access” and in some situations can cause the firewall to crash. They have also confirmed that it is being exploited by hackers and said patches have been released. 

For those unable to patch, SonicWall urged customers to ensure that access to the devices is limited or restricted from internet access. SonicWall gave the vulnerability a severity score of 9.3 out of 10.

The CISA warning comes days after researchers at Arctic Wolf said it observed hackers connected to the Akira ransomware gang exploiting the vulnerability. 

CISA itself said it did not know if ransomware groups are exploiting the bug but Rapid7 confirmed on Monday that it has also seen ransomware actors exploiting it. 

Arctic Wolf researchers saw affiliates of the group using compromised accounts on SonicWall devices as the initial access vector to carry out ransomware attacks. 

“In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory,” said Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf.

“Additionally, [multifactor authentication] was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.”

Akira — responsible for attacks on Stanford University, cloud service Tietoevry and Yamaha — earned about $42 million in ransoms from attacks on at least 250 organizations since emerging in March 2023, according to the FBI. 

The large number of attacks launched by the group led experts to believe it is made up of experienced actors and previous reports from Akira showed links between the gang and the now-defunct ransomware gang Conti.