Overview: Akira Ransomware Group Exploiting SonicWall SSLVPN for Initial Access
Risk Factor: Critical
Date: 30th August 2024
Get Help Now
Solace Cyber are specialists in securing perimeter defences. Get in touch if you need support.
What We Know
In recent weeks, new intelligence from our incident response cases has revealed that the Akira ransomware group has started targeting SonicWall SSLVPNs to gain initial access to networks.
This tactic involves exploiting accounts with weak passwords and without Multi-Factor Authentication (MFA). This marks a significant shift in Akira’s initial access methods, which previously focused primarily on Cisco ASA firewalls.
While the possibility of exploiting SonicWall devices through known or unknown vulnerabilities cannot be entirely dismissed, multiple external sources are also reporting the group’s use of SonicWall SSLVPNs for initial access.
This change in Akira’s tactics highlights the critical importance of securing perimeter defences by enforcing strong password policies, regularly patching SonicWall devices, and implementing MFA across all VPN accounts to prevent unauthorised access to internal networks.
Solace Cyber Recommend:
- To ensure all user accounts with SSLVPN permissions, including any local accounts, are secured with multi-factor authentication.
- To conduct a recent audit of all VPN users and groups.
- Implement a strong password policy.
- Keep the SonicWall appliance updated with the latest patches and regularly review SonicWall releases for further patches.
- Enable external audit logging to extend the period of auditability, as SonicWall VPN login events typically do not cover more than 24 hours without external auditing.
Need Help?
Solace Cyber are specialists in securing perimeter defences. Get in touch if you need support.