Akira Ransomware: 4 Hours from VPN Login to Total Encryption
▼ Summary
– Akira ransomware affiliates can breach organizations and deploy ransomware in under four hours using stolen SonicWall SSL VPN credentials.
– Attackers bypass multi-factor authentication and use tools like Impacket and RDP for network scanning, lateral movement, and accessing domain controllers.
– The intrusions exploit CVE-2024-40766, a SonicWall vulnerability, and reuse credentials from prior breaches even on patched systems.
– Organizations are advised to reset all credentials, monitor for anomalous activity, and block unauthorized tools to prevent attacks.
– Early detection is critical due to the rapid ransomware deployment, with attacks being opportunistic across various industries.
A new report from security researchers details the shockingly rapid timeline of Akira ransomware attacks, with threat actors achieving total network encryption in as little as four hours after initial VPN access. This accelerated attack sequence leaves organizations with an extremely narrow window for detection and response, underscoring the critical importance of proactive security measures against this opportunistic threat.
Arctic Wolf’s investigation reveals that attackers leverage previously stolen SonicWall SSL VPN credentials, somehow bypassing multi-factor authentication protections. Once inside, they execute a methodical and efficient compromise process. They immediately begin scanning the network to identify services and vulnerable accounts. Using tools like Impacket, they establish SMB sessions and utilize RDP for lateral movement across the compromised environment.
Their objective consistently involves locating and accessing the Domain Controller, along with virtual machine storage and backup systems. To solidify their control, they create new domain accounts, which are used to install remote management and monitoring (RMM) tools and facilitate data exfiltration. The attackers establish a command-and-control (C2) channel, then proceed to collect and steal sensitive data. Before deploying the final payload, they meticulously disable legitimate RMM and endpoint detection and response (EDR) tools, delete Volume Shadow Copies to prevent recovery, and clear event logs to hide their tracks. They often install WinRAR to compress data, which is then transferred to a controlled virtual private server using tools like rclone or FileZilla. The final step is the deployment of the Akira ransomware.
Initial access is traced back to the exploitation of a specific vulnerability, CVE-2024-40766, an improper access control flaw in SonicWall SonicOS. While a patch was released in August 2024, the problem persists. Many organizations upgraded their firewalls from Gen 6 to Gen 7 but failed to reset the passwords for local user accounts with SSL VPN access. The prevailing theory is that attackers harvested these credentials during quieter, earlier intrusions and are now reusing them against organizations that patched the flaw but never changed their passwords.
Researchers from Rapid7 have identified additional weaknesses being exploited. One involves a misconfiguration in the SSLVPN Default Users Group, which can automatically grant every authenticated LDAP user access to sensitive services. Another is the externally accessible Virtual Office Portal within the SonicOS management interface, which allows attackers to configure one-time password MFA on accounts they have compromised.
Arctic Wolf’s analysis noted repeated malicious logins on accounts with OTP MFA enabled, ruling out simpler attack methods. They found no evidence of malicious account use prior to the VPN login or any unauthorized OTP configuration changes in the days leading up to the attack. This evidence strongly suggests the use of valid credentials, though the precise method for bypassing MFA remains unclear. Currently, there is no indication that these intrusions are connected to a separate attack on SonicWall’s cloud backup service.
These attacks are not targeted; victim organizations come from various industries and sizes, indicating an opportunistic campaign. The incredibly short time to encryption makes early detection paramount. Security experts recommend several defensive actions. Organizations should monitor for, or ideally block, login attempts originating from VPS hosting providers. They must also watch for anomalous SMB activity indicative of Impacket use and unusual LDAP discovery attempts. Execution of network scanning and archival tools from unexpected server locations should raise immediate red flags. Using application control solutions to block unauthorized remote tools and deny execution from untrusted paths is also advised.
A critical recommendation is for any organization that previously ran firmware versions vulnerable to CVE-2024-40766 to immediately reset all credentials stored on the firewall. This includes SSL VPN passwords and OTP MFA secrets for both local firewall accounts and any LDAP-synchronised Active Directory accounts with VPN access. Threat actors are actively abusing these stolen credentials even on fully patched devices. Resetting LDAP synchronization accounts is especially vital, as researchers have observed logins against these accounts despite them not being intended for VPN use.
(Source: HelpNet Security)
