Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Arctic Wolf security research. Show all posts
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf security research CVE-2024-40766 exploit Ransomware SonicWall SSL VPN vulnerability Vulnerabilities and Exploits

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit

 

Akira ransomware affiliates need less than four hours to breach organizations and launch attacks, according to researchers at Arctic Wolf. The group is exploiting stolen SonicWall SSL VPN credentials and has reportedly found ways to bypass multi-factor authentication (MFA).

Once inside, attackers quickly begin scanning networks to identify services and weak accounts. They leverage Impacket to establish SMB sessions, use RDP for lateral movement, and eventually target Domain Controllers, virtual machine storage, and backups. Additional accounts, including domain accounts, are created to install remote monitoring and management (RMM) tools and enable data theft. The process also includes establishing command-and-control channels, exfiltrating sensitive data, disabling legitimate RMM and EDR tools, deleting shadow copies and event logs, and using WinRAR with rclone or FileZilla for data transfers. The attack culminates with the deployment of Akira ransomware.

Akira activity has been rising since July 2025. Early reports suggested a SonicWall zero-day exploit, but investigations revealed attackers were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN. Though SonicWall released a patch in August 2024, some organizations failed to reset SSL VPN passwords after upgrading from Gen 6 to Gen 7 firewalls, leaving them exposed.

Experts believe that attackers harvested privileged account credentials months earlier and are now reusing them against organizations that patched but never rotated passwords. Rapid7 also identified other weaknesses being exploited, including misconfigured SSLVPN Default User Group settings and the externally exposed Virtual Office Portal, which attackers use to configure OTP MFA on compromised accounts.

“In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers stated.

“Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.”

So far, victim organizations span multiple industries and sizes, indicating opportunistic targeting rather than focused campaigns. Researchers emphasize that the minimal time between breach and ransomware execution makes early detection and rapid response essential.

Defensive Measures

Arctic Wolf recommends organizations take the following steps:
  • Monitor or block logins originating from VPS hosting providers.
  • Watch for abnormal SMB and LDAP activity linked to Impacket and discovery tools.
  • Detect unusual execution of scanning and archival utilities on servers.
  • Leverage App Control for Business to restrict unauthorized remote tools and block execution from untrusted paths.
“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf advised. “This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.”
Read more »
Subscribe to: Posts (Atom)