"The Akira ransomware group continues to exploit a year-old SonicWall vulnerability for initial access and relies on pre-installed and legitimate tools to evade detection, security researchers warn. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766 (CVSS score of 9.3), an improper access control issue in SonicWall firewalls that was patched in August 2024."
"Arctic Wolf says it observed dozens of incidents that can be tied together by VPN client logins originating from VPS hosting providers, network scanning, Impacket SMB activity for endpoint discovery, and Active Directory discovery. Artifacts collected from these intrusions suggest that multiple threat actors or affiliates might have been involved, that automation was used for authentication, and that readily available tools were used for discovery and lateral movement."
Akira ransomware continues exploiting CVE-2024-40766 in SonicWall firewalls to gain initial access, with exploitation surging over the past three months despite an August 2024 patch. The campaign targets SSL VPN accounts that use one-time password MFA and appears to use automated authentication attempts. Observed indicators include VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity for endpoint discovery, and Active Directory discovery. Artifacts suggest involvement of multiple actors or affiliates and the use of preinstalled or legitimate utilities, including remote monitoring tools, enabling rapid dwell times measured in hours and limiting response windows.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]