Researchers identified active exploitation of CVE-2024-40766 in SonicWall's seventh-generation firewalls, specifically impacting SSL VPN functionality. Threat actors are bypassing multi-factor authentication (MFA), gaining privileged access, and deploying Akira ransomware.
The attacks target SonicWall TZ and NSa-series firewalls running firmware versions 7.2.0-7015 or earlier, exploiting CVE-2024-40766. The compromise begins at the perimeter, allowing attackers to bypass MFA and gain access using over-privileged service accounts (e.g., sonicwall, LDAPAdmin). Once inside, attackers establish persistence using Cloudflared tunnels, OpenSSH, and RMM tools like AnyDesk, and pivot laterally using WMI, PowerShell Remoting, and brute-forced RDP sessions.
The post-exploitation phase is fast and methodical: attackers exfiltrate credentials (e.g., from Veeam, NTDS.dit), disable defenses using Set-MpPreference and netsh, and delete recovery artifacts (vssadmin.exe). The final payload is the Akira ransomware, often delivered after wiping Volume Shadow Copies.