CVE/vulnerability

1000’s Of SonicWall Devices Remain Vulnerable To CVE-2024-40766

A recent investigation revealed that the Akira and Fog ransomware groups are actively exploiting the SonicWall NSA vulnerability (CVE-2024-40766) to compromise organizations. 

As of December 23, 2024, over 100 companies are suspected to have been victimized by these groups through this vulnerability.

Despite the disclosure in September 2024, a significant number of devices, exceeding 48,933, remain vulnerable to exploitation. 

Analysis of organizations victimized by the Akira and Fog ransomware groups revealed a significantly higher prevalence of SonicWall NSA devices compared to victims of other ransomware groups. 

Out of 218 organizations compromised by Akira and Fog, over 100 (approximately 46%) were found to be utilizing SonicWall network security appliances, which contrasts sharply with the typical observation of around 5% or less SonicWall NSA ownership among victims of other ransomware groups. 

SNMP data from around 5,000 devices

The existence of this discrepancy raises the possibility of a connection between the successful deployment of Akira and Fog ransomware and the exploitation of vulnerabilities within SonicWall NSA devices.

A significant number of organizations were likely compromised through the SonicWall NSA vulnerability between September and December, potentially exceeding 50%. 

Factors contributing to the consistent 50% detection rate include challenges in linking companies to their SonicWall devices, attackers diversifying intrusion vectors, and variations in tactics among threat actors. 

While SonicWall has not released a PoC or detailed impact assessments for the vulnerabilities, their recommendation to reset credentials and implement MFA strongly suggests a potential for credential theft. 

The lack of clear attribution in credential theft cases hinders definitive proof, while the high concentration of SonicWall devices within organizations targeted by these groups provides circumstantial evidence supporting their exploitation of SonicWall vulnerabilities. 

According to the Macnica, there was also activity on BlackBasta’s end that targeted SonicWall devices, although this activity has been decreasing as of late.

A novel method for assessing SonicWall NSA device patch status against CVE-2024-40766 was developed, which analyzes the HTML structure of devices and was validated against SNMP data from approximately 5,000 devices. 

As of December 24, 2024, 48,933 publicly exposed SonicWall NSA devices remain vulnerable, while analysis of vulnerable servers by country reveals poor remediation in several Asian nations. 

While patch adoption has significantly slowed down approximately one month after the patch release, mirroring a common trend observed with most vulnerabilities.

Despite lacking definitive proof, strong evidence indicates that the critical SonicWall vulnerability (CVE-2024-40766) is actively exploited by the Akira and Fog threat actors. 

Three months after its discovery, SonicWall devices remain vulnerable on a global scale, with 13% of public servers unpatched, which allows attackers like Akira and Fog to compromise numerous devices, likely contributing to their increased success. 

As the number of victims grows, the threat landscape for organizations utilizing SonicWall products continues to worsen, emphasizing the urgent need for immediate patching and enhanced security measures.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

3 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

3 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

3 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

3 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

4 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

4 hours ago