Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, allowing threat actors to breach corporate networks despite one-time password (OTP) multi-factor authentication being enabled. Researchers suspect that stolen OTP seeds or a zero-day flaw may be used to bypass MFA, although the exact method remains unconfirmed.
In July, BleepingComputer reported that Akira was exploiting SonicWall SSL VPN devices to breach networks, leading researchers to suspect a zero-day flaw. However, SonicWall linked the attacks to an improper access control flaw (CVE-2024-40766) in September 2024. Despite the patch being applied in August 2024, threat actors continue to use stolen credentials from vulnerable devices.
Arctic Wolf reports observing a campaign against SonicWall firewalls where threat actors successfully logged into accounts even when OTP MFA was enabled. Researchers believe that credentials were harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors.
The attacks are attributed to the Akira ransomware operation, which exploited SonicWall SSL VPN devices to breach corporate networks. Arctic Wolf notes that the attackers moved quickly, scanning internal networks within 5 minutes of gaining access. The researchers also found that Impacket SMB session setup requests, RDP logins, and enumeration of Active Directory objects were used.
Admins are strongly urged to reset all VPN credentials on devices running vulnerable firmware, as even updated systems can be compromised using stolen accounts. The SonicWall recommendation is to install the latest SonicOS firmware to mitigate credential attacks.
Source: https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts