Yet another security problem plaguing SonicWall  customers.

Strange Factors

What’s the craic? Lawrence Abrams reports: Akira ransomware breaching MFA-protected SonicWall VPN accounts

“Exploiting SonicWall SSL VPN devices”
Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds.
…
In July, … the Akira ransomware operation was exploiting SonicWall SSL VPN devices to breach corporate networks, leading researchers to suspect that a zero-day flaw was being exploited. … However, SonicWall ultimately linked the attacks to [a vulnerability] patched in August 2024.

A 13-month-old vuln? Jessica Lyons registers the context: Security vendor’s no good, very bad year

“CISA urged all SonicWall customer”
CVE-2024-40766 … is a 9.8 CVSS-rated improper access control flaw originally disclosed in August 2024 — which Akira also abused last year to gain initial access to victim orgs before deploying ransomware and extorting the infected firms for ransom payments. Earlier this month, … Akira was also poking holes in SonicWall SSLVPN misconfigurations and exploiting these weaknesses, in addition to the year-old CVE, to conduct its ransomware attacks.
…
SonicWall and … CISA warned of brute-force attacks targeting its cloud backup service for firewalls, following [reports] about the intrusions. Additionally, CISA urged all SonicWall customers to log into their accounts and verify if their devices are at risk.

Who’s been researching it? Stefan Hostetler, Julian Tuin, Jon Grimm, Trevor Daher, Jerbin Kolencheril, Alyssa Newbury, Joe Wedderspoon and Cole Pixley tagteam: Aggressive Akira Campaign Targets SonicWall VPNs

“Extent of this breach may not yet be fully known”
Threat actors obtained initial access through malicious SSL VPN logins … and deployed Akira ransomware. Early in the kill chain, anomalous SMB activity was observed, pointing to the use of Impacket for discovery and lateral movement. … Because dwell time is typically measured in hours, detecting and disrupting the activity early is essential to prevent ransomware encryption and data theft.
…
Threat actors … successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled. It is worth noting that SonicWall recently disclosed an incident involving the MySonicWall cloud backup service. While SonicWall has stated the incident was not a ransomware event, the full extent of this breach may not yet be fully known.

Not a good look. VoiceOfTruth sees the irony:

Here we go again: A company supposedly … in the business of selling computer security products can’t keep itself secure.

But isn’t this caused by customers not rotating secrets after installing last year’s patch? No, u/TannerHill assures us:

I assure you the new part is them being able to compromise newly added/rotated MFA Seeds and authenticate with MFA. Which hasn’t been addressed by SonicWall in any communication or vulnerability report.

Concerning. This Anonymous Coward “Can’t wait to abandon SonicWall”:

We have one more year of support with them and during that time we will be evaluating a migration to OPNSense. In the past, we’ve been unable to log in to the Sonicwall VPN because a vulnerability allowed attackers to consume all VPN licenses even though the attackers weren’t able to successfully authenticate any of those VPN connections. We applied multiple patches that were supposed to fix the problem but the only thing that actually worked was switching the VPN to a non-standard port.
…
[Then] we experienced a completely separate issue in which we weren’t able to apply firmware patches for quite a while because their license servers were misconfigured … (numerous calls and e-mails to support were completely useless until I finally found someone who gave a **** about their job enough to fix the issue). It’s bad enough that they have so many vulnerabilities, but it’s far worse when we’re not capable of using the support that we’ve paid for.

Is that entirely fair? John Klos says SonicWall “should not be trusted with security”:

They have a long history of security issues, and we all know they don’t provide updates to anyone who isn’t paying for support. But what do you get even when you do pay for support? You get to be their beta tester, because many of their “features” and many of the bugs that they’re finally getting around to trying to fix haven’t really been tested. You get their own staff being unable to make their own “features” work.
…
Much of their support don’t even understand basic networking. It’s like calling Comcast or AT&T – they know terms, but the first half hour of any call is dealing with someone who doesn’t know what a NAT state table is, but pretends that the thing they’ve condescendingly read out of a script disproves everything you’ve said. … If that weren’t bad enough, they will tell you that a device is “obsolete”, then sell you a new device that has literally the exact same hardware inside.
…
Thank you for attending my rant.

But is this limited to SonicWall? Yes and no, thinks u/JKatabaticWind:

SonicWall and Palo Alto, and Cisco, and Ivanti. There is a reason CISA and NSA is discouraging the use of SSL VPNs. … The best you can do is implement secure engineering, and assume every vendor’s system will eventually be breached. Right now it’s SonicWall’s turn in the barrel, but none of them have clean hands. The question is what you can do from an engineering standpoint to put layers of defenses in place to protect yourself.

Meanwhile, this other Anonymous Coward sounds a bit confused:

I still don’t know what Akira has to do with this, and whether that’s, “I am Akira, your waiter,” ably played by George Takei, or Akira the man-god from the titular manga.

And Finally:

Uber driver reverse engineers the algorithm

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: BOTAGAINSTHUMANITY (cc:by-nc-nd; cropped)