Ongoing Akira ransomware assaults focusing on SonicWall SSL VPN units proceed to evolve, with the risk actors discovered to be efficiently authenticating regardless of OTP MFA being enabled on accounts. Researchers suspect this may occasionally via using beforehand stolen OTP seeds, although the precise methodology stays unconfirmed right now.
In July, BleepingComputer reported that the Akira ransomware operation was exploiting SonicWall SSL VPN units to breach company networks, main researchers to suspect {that a} zero-day flaw was being exploited to compromise these units.
Nonetheless, SonicWall finally linked the assaults to an improper entry management flaw tracked as CVE-2024-40766 that was disclosed in September 2024.
Whereas the flaw was patched in August 2024, risk actors have continued to make use of credentials beforehand stolen from exploited units, even after the safety updates had been utilized.
After linking the assaults to credentials stolen utilizing CVE-2024-40766, SonicWall urged directors to reset all SSL VPN credentials and be sure that the newest SonicOS firmware was put in on their units.
New analysis reveals MFA bypassed
Cybersecurity agency Arctic Wolf now reviews observing an ongoing marketing campaign in opposition to SonicWall firewalls, the place risk actors are efficiently logging into accounts even when one-time password (OTP) multi-factor authentication is enabled.
The report signifies that a number of OTP challenges had been issued for account login makes an attempt, adopted by profitable logins, suggesting that risk actors might have additionally compromised OTP seeds or found another methodology to generate legitimate tokens.Â
Supply: Arctic Wolf
“SonicWall hyperlinks the malicious logins noticed on this marketing campaign to CVE-2024-40766, an improper entry management vulnerability recognized a yr in the past,” explains Arctic Wolf.
“From this angle, credentials would have probably been harvested from units susceptible to CVE-2024-40766 and later utilized by risk actors—even when those self same units had been patched. Risk actors within the current marketing campaign efficiently authenticated in opposition to accounts with the one-time password (OTP) MFA function enabled.”
Whereas the researchers say it is unclear how Akira associates are authenticating to MFA-protected accounts, a separate report from Google Risk Intelligence Group in July described comparable abuse of SonicWall VPNs.
In that marketing campaign, a financially motivated group tracked as UNC6148 deployed the OVERSTEP rootkit on SMA 100 sequence home equipment by utilizing what they consider are beforehand stolen OTP seeds, permitting entry even after patches had been utilized.
Google believes that the risk actors had been using stolen one-time password seeds that had been beforehand obtained in zero-day assaults, however is uncertain which CVE was exploited.
“Google Risk Intelligence Group (GTIG) has recognized an ongoing marketing campaign by a suspected financially-motivated risk actor we observe as UNC6148, focusing on totally patched end-of-life SonicWall Safe Cell Entry (SMA) 100 sequence home equipment,” warned Google.
“GTIG assesses with excessive confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen throughout earlier intrusions, permitting them to regain entry even after organizations have utilized safety updates.”
As soon as inside, Arctic Wolf reviews that Akira moved in a short time, typically scanning the interior community inside 5 minutes. The researchers notice that the risk actors additionally employed Impacket SMB session setup requests, RDP logins, and the enumeration of Lively Listing objects utilizing instruments similar to dsquery, SharpShares, and BloodHound.
A specific focus was on Veeam Backup & Replication servers, the place a customized PowerShell script was deployed to extract and decrypt saved MSSQL and PostgreSQL credentials, together with DPAPI secrets and techniques.
To evade safety software program, associates performed a Deliver-Your-Personal-Susceptible-Driver (BYOVD) assault by abusing Microsoft’s reputable consent.exe executable to sideload malicious DLLs that loaded susceptible drivers (rwdrv.sys, churchill_driver.sys).
These drivers had been used to disable endpoint safety processes, permitting the ransomware encryptors to run with out being blocked.
The report stresses that a few of these assaults impacted units working SonicOS 7.3.0, which is the really useful launch SonicWall urged admins to put in to mitigate the credential assaults.
Admins are strongly urged to reset all VPN credentials on any machine that beforehand utilized susceptible firmware, as even when up to date, attackers can proceed to make use of stolen accounts to realize preliminary entry to company networks.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
