{"id":10549,"date":"2025-10-11T13:29:02","date_gmt":"2025-10-11T06:29:02","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10549"},"modified":"2026-02-05T13:29:09","modified_gmt":"2026-02-05T06:29:09","slug":"lo-hong-cve-2024-40766-tren-sonicwall-vpn-bi-nhom-akira-khai-thac-tren-dien-rong","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/11\/lo-hong-cve-2024-40766-tren-sonicwall-vpn-bi-nhom-akira-khai-thac-tren-dien-rong\/","title":{"rendered":"L\u1ed7 h\u1ed5ng CVE-2024-40766 tr\u00ean SonicWall VPN b\u1ecb nh\u00f3m Akira khai th\u00e1c tr\u00ean di\u1ec7n r\u1ed9ng"},"content":{"rendered":"<p><b>M\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng c\u00f3 t\u1ed5 ch\u1ee9c do nh\u00f3m tin t\u1eb7c Akira \u0111i\u1ec1u h\u00e0nh \u0111ang nh\u1eafm v\u00e0o c\u00e1c thi\u1ebft b\u1ecb SonicWall SSL VPN tr\u00ean to\u00e0n c\u1ea7u k\u1ec3 t\u1eeb th\u00e1ng 7 n\u0103m 2025. Nh\u00f3m n\u00e0y l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng CVE-2024-40766, t\u1ed3n t\u1ea1i h\u01a1n m\u1ed9t n\u0103m trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh SonicWall SonicOS, \u0111\u1ec3 x\u00e2m nh\u1eadp s\u00e2u v\u00e0o h\u1ea1 t\u1ea7ng m\u1ea1ng c\u1ee7a nhi\u1ec1u doanh nghi\u1ec7p thu\u1ed9c nhi\u1ec1u l\u0129nh v\u1ef1c kh\u00e1c nhau. D\u1eef li\u1ec7u \u0111i\u1ec1u tra cho th\u1ea5y c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c ti\u1ebfn h\u00e0nh c\u00f3 ch\u1ee7 \u0111\u00edch, s\u1eed d\u1ee5ng chu\u1ed7i k\u1ef9 thu\u1eadt tinh vi t\u1eeb thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u1ebfn \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u, ph\u1ea3n \u00e1nh m\u1ee9c \u0111\u1ed9 chuy\u00ean nghi\u1ec7p v\u00e0 kh\u1ea3 n\u0103ng v\u1eadn h\u00e0nh ph\u1ee9c t\u1ea1p c\u1ee7a nh\u00f3m Akira.<\/b><\/p>\n<div style=\"text-align: center\">\n<div class=\"bbImageWrapper  js-lbImage\" title=\"SonicWall VPN.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/sonicwall-vpn-png.17732\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage\" title=\"SonicWall VPN.png\" src=\"https:\/\/whitehat.vn\/attachments\/sonicwall-vpn-png.17732\/\" alt=\"SonicWall VPN.png\" width=\"700\" height=\"390\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<p>Tr\u1ecdng t\u00e2m c\u1ee7a chi\u1ebfn d\u1ecbch n\u1eb1m \u1edf l\u1ed7 h\u1ed5ng CVE-2024-40766, thu\u1ed9c nh\u00f3m l\u1ed7i ki\u1ec3m so\u00e1t truy c\u1eadp kh\u00f4ng \u0111\u00fang trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh SonicWall SonicOS, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c thi\u1ebft b\u1ecb th\u1ebf h\u1ec7 5, 6 v\u00e0 7 ch\u1ea1y phi\u00ean b\u1ea3n 7.0.1-5035 tr\u1edf v\u1ec1 tr\u01b0\u1edbc. D\u00f9 \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 v\u00e0 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 t\u1eeb th\u00e1ng 8 n\u0103m 2024, l\u1ed7 h\u1ed5ng n\u00e0y v\u1eabn b\u1ecb c\u00e1c nh\u00f3m li\u00ean k\u1ebft v\u1edbi Akira khai th\u00e1c trong m\u00f4 h\u00ecnh m\u00e3 \u0111\u1ed9c d\u01b0\u1edbi d\u1ea1ng d\u1ecbch v\u1ee5. Vi\u1ec7c t\u00e1i s\u1eed d\u1ee5ng m\u1ed9t \u0111i\u1ec3m y\u1ebfu c\u0169 nh\u01b0ng ph\u1ed5 bi\u1ebfn trong h\u1ea1 t\u1ea7ng VPN doanh nghi\u1ec7p cho th\u1ea5y s\u1ef1 linh ho\u1ea1t v\u00e0 hi\u1ec3u bi\u1ebft s\u00e2u c\u1ee7a nh\u00f3m t\u1ea5n c\u00f4ng v\u1ec1 m\u00f4i tr\u01b0\u1eddng m\u1ee5c ti\u00eau, c\u0169ng nh\u01b0 kh\u1ea3 n\u0103ng t\u1eadn d\u1ee5ng tri\u1ec7t \u0111\u1ec3 nh\u1eefng kho\u1ea3ng tr\u1ed1ng trong qu\u1ea3n l\u00fd b\u1ea3n v\u00e1 \u0111\u1ec3 m\u1edf r\u1ed9ng quy m\u00f4 x\u00e2m nh\u1eadp.<\/p>\n<p>Ng\u00e0y 20 th\u00e1ng 8 n\u0103m 2025, h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t c\u1ee7a c\u00f4ng ty Darktrace ph\u00e1t hi\u1ec7n chu\u1ed7i ho\u1ea1t \u0111\u1ed9ng b\u1ea5t th\u01b0\u1eddng b\u1eaft ngu\u1ed3n t\u1eeb c\u00e1c thi\u1ebft b\u1ecb SonicWall SSL VPN. Cu\u1ed9c t\u1ea5n c\u00f4ng b\u1eaft \u0111\u1ea7u l\u00fac 05 gi\u1edd 10 ph\u00fat theo gi\u1edd qu\u1ed1c t\u1ebf, v\u1edbi c\u00e1c b\u01b0\u1edbc trinh s\u00e1t \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n c\u00f3 ch\u1ee7 \u0111\u00edch nh\u1eb1m thu th\u1eadp th\u00f4ng tin v\u1ec1 c\u1ea5u tr\u00fac h\u1ea1 t\u1ea7ng m\u1ea1ng. Tin t\u1eb7c g\u1eedi h\u00e0ng lo\u1ea1t y\u00eau c\u1ea7u \u0111\u1ebfn d\u1ecbch v\u1ee5 l\u1eadp b\u1ea3n \u0111\u1ed3 \u0111i\u1ec3m cu\u1ed1i, \u0111\u1ed3ng th\u1eddi s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 qu\u00e9t m\u1ea1ng \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u00e1c m\u00e1y ch\u1ee7 v\u00e0 d\u1ecbch v\u1ee5 \u0111ang ho\u1ea1t \u0111\u1ed9ng. Sau khi n\u1eafm \u0111\u01b0\u1ee3c b\u1ea3n \u0111\u1ed3 h\u1ec7 th\u1ed1ng, ch\u00fang ti\u1ebfp t\u1ee5c di chuy\u1ec3n ngang b\u1eb1ng c\u00e1ch l\u1ee3i d\u1ee5ng d\u1ecbch v\u1ee5 qu\u1ea3n l\u00fd t\u1eeb xa c\u1ee7a Windows, thi\u1ebft l\u1eadp quy\u1ec1n truy c\u1eadp v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 qu\u1ea3n l\u00fd t\u00ean mi\u1ec1n v\u00e0 m\u1edf r\u1ed9ng kh\u1ea3 n\u0103ng ki\u1ec3m so\u00e1t trong to\u00e0n b\u1ed9 m\u1ea1ng n\u1ed9i b\u1ed9.<\/p>\n<p>\u0110i\u1ec3m \u0111\u00e1ng ch\u00fa \u00fd l\u00e0 k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt chi\u1ebfm \u0111o\u1ea1t th\u00f4ng tin \u0111\u0103ng nh\u1eadp ti\u00ean ti\u1ebfn g\u1ecdi l\u00e0 \u201cUnPAC the hash\u201d, khai th\u00e1c c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c c\u1ee7a Kerberos \u0111\u1ec3 tr\u00edch xu\u1ea5t b\u0103m NTLM t\u1eeb c\u00e1c y\u00eau c\u1ea7u truy c\u1eadp d\u1ecbch v\u1ee5, r\u1ed3i t\u00e1i s\u1eed d\u1ee5ng nh\u1eefng m\u00e3 b\u0103m \u0111\u00f3 \u0111\u1ec3 di chuy\u1ec3n v\u00e0 leo thang quy\u1ec1n trong m\u1ea1ng. Ph\u00e2n t\u00edch cho th\u1ea5y \u00edt nh\u1ea5t 15 b\u1ed9 th\u00f4ng tin \u0111\u0103ng nh\u1eadp b\u1ecb \u0111\u00e1nh c\u1eafp, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho vi\u1ec7c chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t s\u00e2u v\u00e0 tri\u1ec3n khai h\u1ea1 t\u1ea7ng ch\u1ec9 huy \u0111i\u1ec1u khi\u1ec3n. Sau khi thi\u1ebft l\u1eadp C2, k\u1ebb t\u1ea5n c\u00f4ng t\u1ea3i v\u1ec1 m\u00e3 \u0111\u1ed9c v\u00e0 th\u1ef1c hi\u1ec7n vi\u1ec7c truy\u1ec1n d\u1eef li\u1ec7u \u0111\u00e1nh c\u1eafp ra ngo\u00e0i.<\/p>\n<p>C\u00e1c d\u1ea5u v\u1ebft \u0111i\u1ec1u tra cho th\u1ea5y chu\u1ed7i t\u1ea5n c\u00f4ng tinh vi \u1edf c\u1ea3 kh\u00e2u ng\u1ee5y trang v\u00e0 exfiltration. K\u1ebb t\u1ea5n c\u00f4ng tri\u1ec3n khai nh\u1ecbp th\u1ef1c thi \u0111\u01b0\u1ee3c \u0111\u00f3ng g\u00f3i d\u01b0\u1edbi t\u00ean c\u00f4ng c\u1ee5 VMware h\u1ee3p ph\u00e1p v\u00e0 \u0111\u01b0a t\u1ec7p v\u00e0o h\u1ec7 th\u1ed1ng b\u1eb1ng wget ho\u1eb7c qua qu\u1ea3n l\u00fd t\u1eeb xa, sau \u0111\u00f3 ch\u1ea1y tr\u00ean host m\u1ee5c ti\u00eau bao g\u1ed3m c\u1ea3 ESXi \u0111\u1ec3 m\u1edf quy\u1ec1n truy c\u1eadp, thu th\u1eadp th\u00f4ng tin nh\u1ea1y c\u1ea3m v\u00e0 gom d\u1eef li\u1ec7u th\u00e0nh c\u00e1c kh\u1ed1i \u0111\u1ec3 xu\u1ea5t ngo\u1ea1i.<\/p>\n<p>D\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n ra ngo\u00e0i qua k\u00eanh m\u00e3 h\u00f3a nh\u01b0 SSH ho\u1eb7c HTTPS t\u1edbi h\u1ea1 t\u1ea7ng ch\u1ec9 huy \u0111i\u1ec1u khi\u1ec3n v\u00e0 ph\u00e2n t\u00edch m\u1ea1ng cho th\u1ea5y phi\u00ean truy\u1ec1n c\u00f3 dung l\u01b0\u1ee3ng l\u1edbn c\u00f9ng k\u1ebft n\u1ed1i b\u1ea5t th\u01b0\u1eddng t\u1eeb host n\u1ed9i b\u1ed9 \u0111\u1ebfn c\u00e1c \u0111\u1ecba ch\u1ec9 b\u00ean ngo\u00e0i nh\u01b0 137.184.243.69 v\u00e0 66.165.243.39, \u0111\u1ed3ng th\u1eddi m\u1eabu TLS v\u00e0 phi\u00ean SSH kh\u00f4ng kh\u1edbp v\u1edbi h\u00e0nh vi b\u00ecnh th\u01b0\u1eddng c\u1ee7a h\u1ec7 th\u1ed1ng n\u00ean \u0111\u00e2y l\u00e0 c\u00e1c ch\u1ec9 b\u00e1o m\u1ea1ng quan tr\u1ecdng cho vi\u1ec7c ph\u00e1t hi\u1ec7n ho\u1ea1t \u0111\u1ed9ng truy\u1ec1n d\u1eef li\u1ec7u b\u1ea5t th\u01b0\u1eddng ra b\u00ean ngo\u00e0i. \u1ede g\u00f3c \u0111\u1ed9 gi\u00e1m s\u00e1t v\u00e0 \u0111i\u1ec1u tra, c\u00e1c d\u1ea5u v\u1ebft k\u1ef9 thu\u1eadt nh\u01b0 t\u00ean t\u1ec7p gi\u1ea3 m\u1ea1o, l\u1ec7nh wget, hash c\u1ee7a t\u1ec7p th\u1ef1c thi, c\u00e1c phi\u00ean SSH dung l\u01b0\u1ee3ng l\u1edbn, b\u1ea3n ghi PCAP c\u00f3 k\u1ebft n\u1ed1i b\u1ea5t th\u01b0\u1eddng v\u00e0 \u0111\u1ecba ch\u1ec9 m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n C2 c\u1ea7n \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o quy t\u1eafc ph\u00e1t hi\u1ec7n, ph\u00e2n t\u00edch t\u01b0\u01a1ng quan nh\u1eadt k\u00fd v\u00e0 quy tr\u00ecnh \u0111i\u1ec1u tra s\u1ed1. C\u00e1ch n\u00e0y gi\u00fap nhanh ch\u00f3ng nh\u1eadn di\u1ec7n, c\u00f4 l\u1eadp m\u00e1y b\u1ecb x\u00e2m nh\u1eadp v\u00e0 ch\u1eb7n lu\u1ed3ng d\u1eef li\u1ec7u ra ngo\u00e0i.<\/p>\n<p>Ch\u1ec9 \u00edt l\u00e2u sau s\u1ef1 c\u1ed1 \u0111\u1ea7u ti\u00ean, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ti\u1ebfp t\u1ee5c ph\u00e1t hi\u1ec7n th\u00eam ba v\u1ee5 vi\u1ec7c kh\u00e1c c\u00f3 c\u00f9ng \u0111\u1eb7c \u0111i\u1ec3m t\u1ea5n c\u00f4ng, \u0111\u1ec1u nh\u1eafm v\u00e0o h\u1ea1 t\u1ea7ng VPN SonicWall t\u1ea1i M\u1ef9. Vi\u1ec7c l\u1ed7 h\u1ed5ng CVE-2024-40766 v\u1eabn b\u1ecb khai th\u00e1c d\u00f9 \u0111\u00e3 c\u00f3 b\u1ea3n v\u00e1 h\u01a1n m\u1ed9t n\u0103m ph\u1ea3n \u00e1nh r\u00f5 l\u1ed7 h\u1ed5ng trong c\u00f4ng t\u00e1c qu\u1ea3n l\u00fd v\u00e1 l\u1ed7i c\u1ee7a doanh nghi\u1ec7p. Trong b\u1ed1i c\u1ea3nh VPN l\u00e0 c\u1eeda ng\u00f5 quan tr\u1ecdng cho k\u1ebft n\u1ed1i t\u1eeb xa v\u00e0o h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9, vi\u1ec7c tr\u00ec ho\u00e3n c\u1eadp nh\u1eadt hay b\u1ecf qua c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt kh\u00f4ng ch\u1ec9 t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho m\u00e3 \u0111\u1ed9c x\u00e2m nh\u1eadp m\u00e0 c\u00f2n \u0111e d\u1ecda to\u00e0n b\u1ed9 chu\u1ed7i ph\u00f2ng th\u1ee7, khi\u1ebfn t\u1ed5 ch\u1ee9c \u0111\u1ed1i m\u1eb7t nguy c\u01a1 m\u1ea5t d\u1eef li\u1ec7u, gi\u00e1n \u0111o\u1ea1n v\u1eadn h\u00e0nh v\u00e0 t\u1ed5n h\u1ea1i uy t\u00edn l\u00e2u d\u00e0i.<\/p>\n<div style=\"text-align: right\"><b><i>Theo Cyber Press<\/i><\/b>\u200b<\/div>\n<h4>\u200b<\/h4>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/lo-hong-cve-2024-40766-tren-sonicwall-vpn-bi-nhom-akira-khai-thac-tren-dien-rong.18826\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/lo-hong-cve-2024-40766-tren-sonicwall-vpn-bi-nhom-akira-khai-thac-tren-dien-rong.18826\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng c\u00f3 t\u1ed5 ch\u1ee9c do nh\u00f3m tin t\u1eb7c Akira \u0111i\u1ec1u h\u00e0nh \u0111ang nh\u1eafm v\u00e0o c\u00e1c thi\u1ebft b\u1ecb SonicWall SSL VPN tr\u00ean to\u00e0n c\u1ea7u k\u1ec3 t\u1eeb th\u00e1ng 7 n\u0103m 2025. Nh\u00f3m n\u00e0y l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng CVE-2024-40766, t\u1ed3n t\u1ea1i h\u01a1n m\u1ed9t n\u0103m trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh SonicWall SonicOS, \u0111\u1ec3 x\u00e2m nh\u1eadp s\u00e2u [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10549","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10549"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10549\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}