Ongoing Akira ransomware assaults focusing on SonicWall SSL VPN gadgets proceed to evolve, with the menace actors discovered to be efficiently logging in regardless of OTP MFA being enabled on accounts. Researchers suspect that this can be achieved via using beforehand stolen OTP seeds, though the precise technique stays unconfirmed.
In July, BleepingComputer reported that the Akira ransomware operation was exploiting SonicWall SSL VPN gadgets to breach company networks, main researchers to suspect {that a} zero-day flaw was being exploited to compromise these gadgets.
Nevertheless, SonicWall finally linked the assaults to an improper entry management flaw tracked as CVE-2024-40766 that was disclosed in September 2024.
Whereas the flaw was patched in August 2024, menace actors have continued to make use of credentials beforehand stolen from exploited gadgets, even after the safety updates have been utilized.
After linking the assaults to credentials stolen utilizing CVE-2024-40766, SonicWall urged directors to reset all SSL VPN credentials and be certain that the newest SonicOS firmware was put in on their gadgets.
New analysis exhibits MFA bypassed
Cybersecurity agency Arctic Wolf now stories observing an ongoing marketing campaign towards SonicWall firewalls, the place menace actors are efficiently logging into accounts even when one-time password (OTP) multi-factor authentication is enabled.
The report signifies that a number of OTP challenges have been issued for account login makes an attempt, adopted by profitable logins, suggesting that menace actors might have additionally compromised OTP seeds or found another solution to generate legitimate tokens.
Supply: Arctic Wolf
“SonicWall hyperlinks the malicious logins noticed on this marketing campaign to CVE-2024-40766, an improper entry management vulnerability recognized a 12 months in the past,” explains Arctic Wolf.
“From this angle, credentials would have doubtlessly been harvested from gadgets susceptible to CVE-2024-40766 and later utilized by menace actors—even when those self same gadgets have been patched. Risk actors within the current marketing campaign efficiently authenticated towards accounts with the one-time password (OTP) MFA function enabled.”
Whereas the researchers say it is unclear how Akira associates are authenticating to MFA-protected accounts, a separate report from Google Risk Intelligence Group in July described related abuse of SonicWall VPNs.
In that marketing campaign, a financially motivated group tracked as UNC6148 deployed the OVERSTEP rootkit on SMA 100 sequence home equipment by utilizing what they imagine are beforehand stolen OTP seeds, permitting entry even after patches have been utilized.
Google believes that the menace actors have been using stolen one-time password seeds that have been beforehand obtained in zero-day assaults, however is not sure which CVE was exploited.
“Google Risk Intelligence Group (GTIG) has recognized an ongoing marketing campaign by a suspected financially-motivated menace actor we monitor as UNC6148, focusing on absolutely patched end-of-life SonicWall Safe Cellular Entry (SMA) 100 sequence home equipment,” warned Google.
“GTIG assesses with excessive confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen throughout earlier intrusions, permitting them to regain entry even after organizations have utilized safety updates.”
As soon as inside, Arctic Wolf stories that Akira moved in a short time, typically scanning the interior community inside 5 minutes. The researchers word that the menace actors additionally employed Impacket SMB session setup requests, RDP logins, and the enumeration of Lively Listing objects utilizing instruments similar to dsquery, SharpShares, and BloodHound.
A selected focus was on Veeam Backup & Replication servers, the place a customized PowerShell script was deployed to extract and decrypt saved MSSQL and PostgreSQL credentials, together with DPAPI secrets and techniques.
To evade safety software program, associates carried out a Deliver-Your-Personal-Susceptible-Driver (BYOVD) assault by abusing Microsoft’s legit consent.exe executable to sideload malicious DLLs that loaded susceptible drivers (rwdrv.sys, churchill_driver.sys).
These drivers have been used to disable endpoint safety processes, permitting the ransomware encryptors to run with out being blocked.
The report stresses that a few of these assaults impacted gadgets operating SonicOS 7.3.0, which is the really useful launch SonicWall urged admins to put in to mitigate the credential assaults.
Admins are strongly urged to reset all VPN credentials on any gadget that beforehand utilized susceptible firmware, as even when up to date, attackers can proceed to make use of stolen accounts to realize preliminary entry to company networks.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.