1000’s Of SonicWall Devices Remain Vulnerable To CVE-2024-40766

A recent investigation revealed that the Akira and Fog ransomware groups are actively exploiting the SonicWall NSA vulnerability (CVE-2024-40766) to compromise organizations. 

As of December 23, 2024, over 100 companies are suspected to have been victimized by these groups through this vulnerability.

Despite the disclosure in September 2024, a significant number of devices, exceeding 48,933, remain vulnerable to exploitation. 

Analysis of organizations victimized by the Akira and Fog ransomware groups revealed a significantly higher prevalence of SonicWall NSA devices compared to victims of other ransomware groups. 

Out of 218 organizations compromised by Akira and Fog, over 100 (approximately 46%) were found to be utilizing SonicWall network security appliances, which contrasts sharply with the typical observation of around 5% or less SonicWall NSA ownership among victims of other ransomware groups. 

The existence of this discrepancy raises the possibility of a connection between the successful deployment of Akira and Fog ransomware and the exploitation of vulnerabilities within SonicWall NSA devices.

A significant number of organizations were likely compromised through the SonicWall NSA vulnerability between September and December, potentially exceeding 50%. 

Factors contributing to the consistent 50% detection rate include challenges in linking companies to their SonicWall devices, attackers diversifying intrusion vectors, and variations in tactics among threat actors. 

While SonicWall has not released a PoC or detailed impact assessments for the vulnerabilities, their recommendation to reset credentials and implement MFA strongly suggests a potential for credential theft. 

The lack of clear attribution in credential theft cases hinders definitive proof, while the high concentration of SonicWall devices within organizations targeted by these groups provides circumstantial evidence supporting their exploitation of SonicWall vulnerabilities. 

According to the Macnica, there was also activity on BlackBasta’s end that targeted SonicWall devices, although this activity has been decreasing as of late.

A novel method for assessing SonicWall NSA device patch status against CVE-2024-40766 was developed, which analyzes the HTML structure of devices and was validated against SNMP data from approximately 5,000 devices. 

As of December 24, 2024, 48,933 publicly exposed SonicWall NSA devices remain vulnerable, while analysis of vulnerable servers by country reveals poor remediation in several Asian nations. 

While patch adoption has significantly slowed down approximately one month after the patch release, mirroring a common trend observed with most vulnerabilities.

Despite lacking definitive proof, strong evidence indicates that the critical SonicWall vulnerability (CVE-2024-40766) is actively exploited by the Akira and Fog threat actors. 

Three months after its discovery, SonicWall devices remain vulnerable on a global scale, with 13% of public servers unpatched, which allows attackers like Akira and Fog to compromise numerous devices, likely contributing to their increased success. 

As the number of victims grows, the threat landscape for organizations utilizing SonicWall products continues to worsen, emphasizing the urgent need for immediate patching and enhanced security measures.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free