How Akira Ransomware Is Exploiting SonicWall SSL-VPN: What Australian Businesses Must Do Now

Recently, a sharp increase in cyber attacks has been observed across Australia and New Zealand, where the Akira ransomware group is exploiting vulnerabilities in SonicWall SSL-VPN devices, notably the CVE-2024-40766 flaw. Cybersecurity firms and the Australian Cyber Security Centre (ACSC) have issued warnings.

What is the Akira Group?

Akira is a ransomware-as-a-service (RaaS) syndicate that first emerged in March 2023. They attack organisations of all sizes across many sectors, stealing sensitive data, encrypting systems, and demanding ransom. Since its start, Akira has caused major losses globally, and is notorious for moving very fast—from gaining access to encryption and data theft.

What is SonicWall?

SonicWall is a U.S.-based cybersecurity company that specialises in a range of security solutions, including firewalls, virtual private networks (VPNs), and network security. Small-to-medium businesses (SMBs) and large enterprises widely use their products to protect their networks from cyber threats. The devices at the centre of this particular vulnerability are their SSL VPN products, which are used to provide secure remote access for employees.

What Happened — In Simple Terms

• Firstly, Akira is exploiting a known, high-severity vulnerability (CVE-2024-40766) in SonicWall SSL-VPN features.
• Secondly, issues like misconfigurations, weak or default credentials, or exposed services (such as Virtual Office Portal) allow attackers to compromise even fully patched SonicWall devices.
• Thirdly, MFA (multi-factor authentication), where enabled, has sometimes been undermined due to these access or configuration gaps.
• Finally, attackers are gaining access via SSL-VPN connections, moving quickly from entry to data exfiltration or encryption. So for many victims, ransomware deployment happens within hours.

What Australian Businesses Should Do

Here are immediate steps you should take to protect your organisation:

1. Patch your SonicWall devices
   Upgrade to the latest supported firmware / software versions. Update any devices with the CVE-2024-40766 vulnerability.
2. Audit and change credentials
   Replace default passwords. Remove or disable accounts that are not needed. Rotate credentials especially for local user accounts with VPN access.
3. Enforce strong MFA for all remote access
   Enbable and correctly configure Multi-factor authentication. Don’t assume that having MFA is sufficient—check that it cannot be bypassed via exposed portals.
4. Limit exposure of remote access services
   Restrict access to Virtual Office Portals or SSL-VPN services to known IP addresses or networks whenever possible. If you don’t need remote access, disable it temporarily.
5. Enable logging and monitoring
   Monitor login attempts, especially from unusual locations or VPS hosting providers. Review logs for signs of compromise. Maintain backups and test recovery plans.
6. Prepare an Incident Response plan
   Have your cybersecurity team or external consultant ready. Know who to call, how to isolate compromised systems, and how to communicate with stakeholders if breach occurs.

Conclusion

Because the Akira gang is exploiting not just old vulnerabilities but also configuration gaps, businesses cannot afford complacency. Even if your SonicWall devices are patched, improperly configured access or weak credentials can leave you vulnerable. For Australian businesses, taking immediate action—patching, enforcing MFA, auditing access—is essential.

Contact Netcomp Solutions today to secure your network before attackers find a way in.