Overview

• Rapid7 reports a recent spike in SonicWall‑targeted breaches, saying Akira affiliates likely combine CVE‑2024‑40766, SSLVPN Default Users Group misconfiguration, and public Virtual Office Portal access.
• The Australian Cyber Security Centre confirms increased exploitation against vulnerable organizations using SonicWall SSL VPNs and attributes activity to Akira.
• SonicWall rejects zero‑day claims, ties current activity to CVE‑2024‑40766, and as of early August cites fewer than 40 confirmed cases largely linked to migrations without password resets.
• Mitigations urged include upgrading to SonicOS 7.3.0, rotating local SSLVPN credentials, enforcing MFA and account lockouts, setting the Default LDAP User Group to None, and restricting the Virtual Office Portal to internal access.
• Bitsight estimates more than 438,000 SonicWall devices remain publicly reachable, while incident responders describe a familiar playbook of credentialed VPN access, privilege escalation, data theft, backup disruption, and hypervisor‑level encryption.