Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Akira is targeting Australian companies using SonicWall firewall devices, but the ACSC’s recent warning is just the tip of the iceberg.
Security analysts and SonicWall itself have been warning of malicious activity targeting its firewall devices since last month, and this week, the Australian Cyber Security Centre (ACSC) warned Aussie companies that the Akira ransomware gang was the culprit and going after Australian organisations.
However, while the ACSC warned of the threat actor taking advantage of a year-old vulnerability, CVE-2024-40766, the actual attack chain is more complex, with Akira exploiting multiple vulnerabilities to gain access to their victims’ networks.
Cyber security firm Rapid7 has responded to multiple SonicWall-focused Akira intrusions in the last month and found that not only are the hackers taking advantage of devices with unchanged passwords, but also two other vulnerabilities.
“Following its initial communication last month, SonicWall posted additional security guidance around the SSLVPN Default Users Group Security Risk. This is a security risk which, in certain configurations, can over-provision access to SonicWall’s SSLVPN services based on the Default LDAP group configurations,” Rapid7 said in an 11 September blog post.
“This can allow users who are not permitted to SSLVPN to successfully obtain access to the SSLVPN irrespective of Active Directory configurations.”
The hackers are also accessing SonicWall’s Virtual Office Portal, which can be used to set up MFA/TOTP configurations.
“The Virtual Office Portal in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure,” Rapid7 said, noting that it has observed all three of these security risks in its most recent campaign.
Rapid7 has so far responded to a “double-digit number of attacks”, according to its incident response team, and it attributes all of them to the Akira group.
“Rapid7 has been able to proactively identify attackers attempting to exploit these configuration mistakes. This includes actively connecting and interacting with the Virtual Office Portal, presumably looking for any users who may have not yet configured MFA,” Rapid7’s incident response team said.
“In certain cases, we’ve also identified abuse of the LDAP security guidance, where some users who were not given explicit SSLVPN rights had the ability to connect to the SSLVPN.”
Rapid7’s advice for any organisation using SonicWall devices is to validate patch levels, complete all recommended remediation steps, and audit all security configurations.
“This includes inventory of any local accounts, LDAP group configurations, access policies for Virtual Office Portals, and MFA configurations for users,” Rapid7 said.
“Additionally, if clients have the ability to collect and store SonicWall logs, these can also assist if any investigations are required.”
Given that Rapid7 has hundreds of customers using SonicWall devices and has already observed incidents in the double digits, the incident response team said this campaign could have the potential for “widespread industry impact”.
You can read more about Rapid7’s investigations here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
