Description
Security researchers have observed the Akira ransomware group bypassing multi-factor authentication (MFA) protections on SonicWall SSL VPN appliances. Attackers are leveraging credentials and one-time password (OTP) seeds stolen during earlier SonicWall zero-day exploits, allowing them to log in even on patched and MFA-protected devices. Once inside, Akira affiliates move quickly to compromise networks, steal data, and deploy ransomware.
Attack Details
- Attackers target SonicWall VPNs previously affected by CVE-2024-40766.
- OTP MFA codes are bypassed, likely using stolen or compromised OTP seeds.
- Arctic Wolf observed multiple OTP challenges during logins, followed by successful authentications.
- Once authenticated, attackers conduct reconnaissance with tools such as dsquery, SharpShares, and BloodHound.
- Backups are targeted: PowerShell scripts extract credentials from Veeam Backup & Replication
- Akira affiliates use Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable security software.
Remediation
- Update and Patch: Ensure SonicWall appliances are updated to the latest firmware version.
- Reset VPN Credentials: Change all VPN account passwords and revoke previously issued OTP seeds.
- Enable Advanced MFA: Consider hardware tokens or app-based authenticators with anti-cloning protections.
- Restrict VPN Exposure: Limit VPN access to trusted IP ranges or enforce geolocation restrictions.
- Monitor Logs: Review VPN and authentication logs for repeated OTP prompts or suspicious login attempts.
- Secure Backups: Protect backup servers with strong credentials and isolate them from production networks.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Akira Ransomware Exploits SonicWall VPNs to Bypass MFA
References