A new cyber threat is emerging, with the Akira ransomware group has resumed exploiting a previously discovered vulnerability in SonicWall GEN7 SSLVPN appliances. This flaw allows attackers to bypass multi-factor authentication and gain remote access to networks. Once inside, they deploy ransomware and steal sensitive data, causing severe disruption for affected organizations.
We strongly recommend that businesses using SonicWall devices patch them immediately to reduce the risk of compromise.
What’s happening?
Akira group has resumed exploiting a previously discovered vulnerability in SonicWall SSLVPN appliances to gain initial access. Once inside, they deploy tools like Cobalt Strike, escalate privileges, harvest credentials and move laterally across networks. The attack culminates with Akira ransomware encrypting files and exfiltrating sensitive data, causing significant operational and financial impact.
Why this matters
Organizations using SonicWall GEN7 SSLVPN appliances face elevated risk, often under the false assumption their systems are secure. Recent incidents have already caused significant business disruption and triggered insurance claims.
This campaign is particularly alarming because it highlights how attackers can bypass traditional safeguards, including credential resets and multi-factor authentication. The Akira group, notorious for double-extortion tactics, is exploiting externally exposed SonicWall devices with remarkable speed. Their ability to circumvent multi-factor authentication and credential resets makes standard security measures less effective.
Recommended actions
With organizations at risk, we strongly advise taking immediate action to reduce exposure.
Key steps:
- Disable SSLVPN services temporarily if possible, until vendor guidance or patches are fully applied.
Install the released security patch promptly (CVE-2024-40766) and update SonicWall firmware to the latest version. - Enforce robust multi-factor authentication and restrict VPN access to trusted IP addresses only.
- Audit VPN access logs immediately for unusual activity, especially from hosting-related Autonomous System Numbers.
- Remove unused or legacy VPN accounts and enhance monitoring to detect suspicious login attempts quickly.
Cyber threats are evolving rapidly, with attackers increasingly targeting vulnerabilities in widely-used business infrastructure. By taking these steps in an efficient manner, we can help reduce the risk of costly incidents.
All CFC cyber policyholders can contact our team for advice in our Response app. At CFC, we’ll continue to monitor this threat closely to help businesses stay protected.
Please get in touch via customersupport@cfc.com for support, or report suspicious activity through our Response app.
