Although SonicWall has provided a patch for a vulnerability for its VPN affecting its Gen5, Gen6, and Gen7 firewall appliances (which allowed threat actors unauthorized access to SonicWall appliances), Rapid7 has reported that “an Akira ransomware campaign [recently] kicked off targeting SonicWall devices.” SonicWall has provided an advisory to customers related to the campaign, which was originally thought to be a new one, but has been confirmed to be related to the original vulnerability detected in August of 2024 (CVE SNWLID-2024-0015).

Rapid7 has observed an increase in attacks and intrusions involving SonicWall appliances in organizations that have not completed the patching for the vulnerability. Rapid7 has observed that the vulnerability is being used by threat actors, including the Akira ransomware group. It has also

“observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances…[which] in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure. Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations.”

Rapid7 recommends that if an organization is using SonicWall devices that it:

  • Rotate passwords on all SonicWall local accounts and remove any unused or inactive SonicWall local accounts. Please reference SonicWall’s official security advisory guidance.
  • Ensure Multi-factor Authentication (MFA/TOTP) policies are configured for SonicWall SSLVPN services. Please reference SonicWall’s official security guidance.
  • Ensure successful mitigation of SSVPN Default Groups Security Risk. Please reference SonicWall’s official security guidance.
  • Ensure the Virtual Office Portal is restricted to LAN/internal access or trusted network access only. Please reference SonicWall’s official security guidance.
  • Monitor access to the Virtual Office Portal (access is on port 4433).

Ensure all SonicWall appliances are running on the latest patch. Please reference SonicWall’s vulnerability list.

Based on this writer’s experience with the Akira gang, following the recommendations of Rapid7 is a prudent priority.