SonicWall VPN Attacks Intensify, MFA Bypassed
â–¼ Summary
– Akira ransomware actors are targeting SonicWall SSL VPN appliances using legacy vulnerability CVE-2024-40766 for initial access and credential harvesting.
– The attacks feature extremely short dwell times measured in hours, leaving a narrow window for effective response to ransomware threats.
– Threat actors successfully bypassed one-time password multi-factor authentication, likely by obtaining OTP seeds to generate valid tokens.
– Attackers used automated tooling for rapid lateral movement, initiating internal scanning within minutes of VPN access and employing BYOVD techniques to evade detection.
– Recommended defenses include monitoring for logins from hosting providers, blocking VPS infrastructure access, and restricting VPN logins from unauthorized countries.
A significant escalation in cyberattacks targeting SonicWall SSL VPN appliances has security professionals on high alert. A ransomware group known as Akira is actively exploiting these systems, successfully bypassing multi-factor authentication (MFA) protections in many instances. While initial speculation pointed to a new, undisclosed vulnerability, investigators have since identified a known flaw, CVE-2024-40766, as the primary entry point for these intrusions.
According to a recent analysis by Arctic Wolf, this particular vulnerability allows for improper access control, which threat actors leveraged to harvest user credentials. Alarmingly, the report indicates that even devices that received the relevant security patch could still be targeted using these stolen login details. The speed of these attacks is a major concern. The security firm noted that the dwell time, the period between initial compromise and the execution of the ransomware, is measured in mere hours, creating an exceptionally narrow window for defenders to respond effectively.
The attack sequence follows a recognizable pattern. Intruders typically initiate VPN client logins from IP addresses associated with commercial hosting providers. Once inside the network, they immediately begin internal scanning to map the environment. This is often followed by activity linked to the Impacket toolset for SMB and Active Directory discovery, allowing them to identify valuable targets and move laterally.
A particularly troubling aspect of this campaign is the successful circumvention of one-time password (OTP) MFA. Investigators observed repeated malicious logins on accounts that had OTP MFA enabled, yet there was no evidence of stolen “scratch” codes or unauthorized changes to the MFA configuration in the days leading up to the breach. This points toward the attackers using valid credentials to authenticate, though their precise method for defeating the second factor remains unclear. One plausible theory is that the threat actors managed to steal the OTP seeds themselves, which would allow them to generate valid, time-sensitive codes independently.
The operation displays signs of high automation. Arctic Wolf recorded numerous login attempts in rapid succession from a single VPN client IP address, targeting multiple user accounts. After gaining a foothold through the SSL VPN, the attackers move with remarkable speed, often beginning internal network scans within five minutes of a successful login. To further evade detection, they have employed Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, which help them disable security software on compromised machines.
For organizations relying on SonicWall SSL VPN, early detection is paramount. Security experts strongly recommend monitoring VPN logs for login attempts originating from autonomous system numbers (ASNs) tied to hosting providers. Additionally, watching for SMB session setup requests that match the patterns of the Impacket tool can provide an early warning of discovery activities. Proactive defense measures should include blocking VPN access from IP ranges associated with virtual private server (VPS) providers and anonymization services. It is also advisable to restrict VPN logins from geographic locations where the organization has no business operations.
(Source: Info Security)
