Ongoing Akira ransomware assaults focusing on SonicWall SSL VPN units proceed to evolve, with the risk actors discovered to be efficiently logging in regardless of OTP MFA being enabled on accounts. Researchers suspect that this can be achieved by means of the usage of beforehand stolen OTP seeds, though the precise methodology stays unconfirmed.
In July, BleepingComputer reported that the Akira ransomware operation was exploiting SonicWall SSL VPN units to breach company networks, main researchers to suspect {that a} zero-day flaw was being exploited to compromise these units.
Nevertheless, SonicWall in the end linked the assaults to an improper entry management flaw tracked as CVE-2024-40766 that was disclosed in September 2024.
Whereas the flaw was patched in August 2024, risk actors have continued to make use of credentials beforehand stolen from exploited units, even after the safety updates have been utilized.
After linking the assaults to credentials stolen utilizing CVE-2024-40766, SonicWall urged directors to reset all SSL VPN credentials and be certain that the most recent SonicOS firmware was put in on their units.
New analysis reveals MFA bypassed
Cybersecurity agency Arctic Wolf now experiences observing an ongoing marketing campaign in opposition to SonicWall firewalls, the place risk actors are efficiently logging into accounts even when one-time password (OTP) multi-factor authentication is enabled.
The report signifies that a number of OTP challenges have been issued for account login makes an attempt, adopted by profitable logins, suggesting that risk actors might have additionally compromised OTP seeds or found an alternate option to generate legitimate tokens.
Supply: Arctic Wolf
“SonicWall hyperlinks the malicious logins noticed on this marketing campaign to CVE-2024-40766, an improper entry management vulnerability recognized a 12 months in the past,” explains Arctic Wolf.
“From this attitude, credentials would have probably been harvested from units weak to CVE-2024-40766 and later utilized by risk actors—even when those self same units have been patched. Menace actors within the current marketing campaign efficiently authenticated in opposition to accounts with the one-time password (OTP) MFA characteristic enabled.”
Whereas the researchers say it is unclear how Akira associates are authenticating to MFA-protected accounts, a separate report from Google Menace Intelligence Group in July described comparable abuse of SonicWall VPNs.
In that marketing campaign, a financially motivated group tracked as UNC6148 deployed the OVERSTEP rootkit on SMA 100 sequence home equipment by utilizing what they consider are beforehand stolen OTP seeds, permitting entry even after patches have been utilized.
Google believes that the risk actors have been using stolen one-time password seeds that have been beforehand obtained in zero-day assaults, however is uncertain which CVE was exploited.
“Google Menace Intelligence Group (GTIG) has recognized an ongoing marketing campaign by a suspected financially-motivated risk actor we monitor as UNC6148, focusing on totally patched end-of-life SonicWall Safe Cell Entry (SMA) 100 sequence home equipment,” warned Google.
“GTIG assesses with excessive confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen throughout earlier intrusions, permitting them to regain entry even after organizations have utilized safety updates.”
As soon as inside, Arctic Wolf experiences that Akira moved in a short time, usually scanning the inner community inside 5 minutes. The researchers word that the risk actors additionally employed Impacket SMB session setup requests, RDP logins, and the enumeration of Energetic Listing objects utilizing instruments comparable to dsquery, SharpShares, and BloodHound.
A specific focus was on Veeam Backup & Replication servers, the place a customized PowerShell script was deployed to extract and decrypt saved MSSQL and PostgreSQL credentials, together with DPAPI secrets and techniques.
To evade safety software program, associates carried out a Convey-Your-Personal-Weak-Driver (BYOVD) assault by abusing Microsoft’s reliable consent.exe executable to sideload malicious DLLs that loaded weak drivers (rwdrv.sys, churchill_driver.sys).
These drivers have been used to disable endpoint safety processes, permitting the ransomware encryptors to run with out being blocked.
The report stresses that a few of these assaults impacted units working SonicOS 7.3.0, which is the really helpful launch SonicWall urged admins to put in to mitigate the credential assaults.
Admins are strongly urged to reset all VPN credentials on any gadget that beforehand utilized weak firmware, as even when up to date, attackers can proceed to make use of stolen accounts to realize preliminary entry to company networks.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
