Over the past week, a large number of attacks by the ransomware group Akira have been reported, where the initial attack vector seems to be SonicWall firewalls (Gen 7 and newer) with SSLVPN enabled. Yesterday, SonicWall issued updated guidance on the activity. The guidance states that SonicWall believes this activity is not connected to a zero-day vulnerability, but is rather associated with a previously reported vulnerability, CVE-2024-40766, addressed in SonicWall’s public advisory SNWLID-2024-0015.

The guidance goes on to “strongly urge” SonicWall customers to employ the following measures:

• Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional multi-factor authentication (MFA) controls. SonicWall has provided a firmware update guide. 
• Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
• Continue applying the previously recommended best practices: 
  • Enable Botnet Protection and Geo-IP Filtering.
  • Remove unused or inactive user accounts.
  • Enforce MFA and strong password policies.

Previously, on August 4, SonicWall had recommended the following:

• Disable SSLVPN services where practical.
• Limit SSLVPN connectivity to trusted source IPs.
• Enable security services. 
  • Activate services such as Botnet Protection and Geo-IP Filtering.
  • These help detect and block known threat actors targeting SSLVPN endpoints.
• Enforce MFA.
  • Enable MFA for all remote access to reduce the risk of credential abuse.
• Remove unused accounts.
  • Delete any inactive or unused local user accounts on the firewall
  • Pay special attention to those with SSLVPN access.
• Practice good password hygiene.
  • Encourage regular password updates across all user accounts.

Contact Shook’s Cybersecurity and Incident Response team at with any questions.