Akira Ransomware Bypasses MFA to Breach SonicWall VPNs
▼ Summary
– Akira ransomware attacks are successfully bypassing OTP multi-factor authentication on SonicWall SSL VPN devices, potentially using stolen OTP seeds.
– These attacks are linked to the CVE-2024-40766 improper access control vulnerability disclosed in September 2024, which was patched in August 2024.
– Threat actors continue using credentials stolen from previously exploited devices even after security patches are applied, enabling ongoing network access.
– Once inside networks, attackers rapidly scan systems and deploy tools to disable endpoint protection and target Veeam Backup servers for credential extraction.
– SonicWall and researchers strongly recommend resetting all SSL VPN credentials on previously vulnerable devices, regardless of patching status, to prevent further breaches.
A sophisticated wave of Akira ransomware attacks is successfully infiltrating corporate networks by compromising SonicWall SSL VPN devices, even when multi-factor authentication (MFA) is fully enabled. Security experts tracking these incidents believe attackers are likely using stolen one-time password (OTP) seeds, allowing them to generate valid authentication tokens and bypass critical security layers. This development highlights a significant escalation in the group’s ability to maintain access despite organizations applying security patches and enforcing MFA.
Earlier this year, reports emerged that the Akira ransomware operation was actively exploiting SonicWall SSL VPN appliances. Initially, researchers suspected a zero-day vulnerability was being leveraged to gain entry. SonicWall later attributed the breaches to a specific improper access control vulnerability, identified as CVE-2024-40766, which was publicly disclosed and patched in the latter part of 2024. Despite the availability of a fix, attackers have continued to use credentials that were stolen from devices before the patch was applied.
Recent analysis from cybersecurity firm Arctic Wolf confirms an ongoing campaign where threat actors are logging into accounts protected by OTP-based MFA. The researchers observed multiple instances where login attempts correctly solved several OTP challenges, strongly indicating that the attackers either possess compromised OTP seeds or have discovered another method for generating legitimate tokens.
Arctic Wolf’s report states, “SonicWall has connected the malicious logins in this campaign to CVE-2024-40766. From this perspective, credentials were likely harvested from devices when they were vulnerable and are now being reused, even on devices that have since been patched. In the current campaign, threat actors are successfully authenticating to accounts that have the OTP MFA feature turned on.”
While the precise mechanism for bypassing MFA remains under investigation, a separate report from Google’s Threat Intelligence Group in July documented similar abuse of SonicWall VPNs. In that campaign, a financially motivated threat group tracked as UNC6148 deployed the OVERSTEP rootkit on SMA 100 series appliances. Google assesses with high confidence that UNC6148 is using previously stolen OTP seeds obtained during earlier intrusions, granting them persistent access even after security updates have been installed.
Once inside a network, the Akira actors move with remarkable speed. Arctic Wolf noted that internal network scanning often begins within just five minutes of initial access. The attackers use a suite of tools to expand their foothold, including Impacket for SMB session setups, RDP for remote logins, and utilities like dsquery, SharpShares, and BloodHound for enumerating Active Directory objects.
A key target in these intrusions has been Veeam Backup & Replication servers. The attackers deploy a custom PowerShell script designed to extract and decrypt stored credentials for MSSQL and PostgreSQL databases, including DPAPI secrets. To avoid detection, the affiliates also performed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack. They abused a legitimate Microsoft executable, `consent.exe`, to sideload malicious DLLs that then loaded vulnerable drivers such as `rwdrv.sys` and `churchill_driver.sys`. These drivers were used to systematically disable endpoint protection processes, clearing the way for the ransomware encryptors to execute without interference.
Alarmingly, some of these successful attacks have impacted devices running SonicOS 7.3.0, the very firmware version that SonicWall recommended administrators install to protect against these credential-based attacks. This underscores that patching alone is insufficient if credentials harvested prior to the update are still in circulation.
Security administrators are strongly urged to reset all VPN credentials on any device that previously ran vulnerable firmware. Simply applying patches does not invalidate stolen credentials, meaning attackers can continue to use them for initial network access until every password and token secret is changed.
(Source: Bleeping Computer)
