Close Menu
Cybercrime and Ransomware

Akira Ransomware Breaches MFA-Protected SonicWall VPN Accounts

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. Akira ransomware campaigns targeting SonicWall SSL VPNs persist, successfully bypassing OTP MFA despite patched vulnerabilities and using stolen credentials.
  2. The attacks exploit a known flaw, CVE-2024-40766, with threat actors reportedly compromising OTP seeds or discovering alternative MFA bypass methods.
  3. Specialists observe rapid internal network scanning post-infiltration, leveraging tools like Impacket, RDP, and custom scripts to extract credentials from backups and databases.
  4. SonicWall urges immediate reset of all VPN credentials and updates to SonicOS, emphasizing that attackers are exploiting stolen credentials to maintain access even after patches.

What’s the Problem?

Recent investigations reveal that Akira ransomware operators continue to exploit vulnerabilities in SonicWall SSL VPN devices, inflicting significant security breaches despite the deployment of multi-factor authentication (MFA). The attacks originate from a known flaw, CVE-2024-40766, which was disclosed in September 2024 and patched in August of the same year. Despite these security patches, threat actors have persisted, leveraging stolen credentials acquired during prior zero-day exploits to gain access, even when MFA—intended to provide an extra security layer—was enabled. Cybersecurity researchers from Arctic Wolf and Google Threat Intelligence have observed these actors bypassing MFA, suggesting they may have compromised OTP seeds or employed other methods to generate valid authentication tokens, thereby maintaining unauthorized access to targeted networks.

The attackers, linked to the Akira ransomware campaign, rapidly move within compromised networks, deploying sophisticated techniques such as SMB session hijacking, RDP logins, and Active Directory enumeration, particularly targeting backup and database servers like Veeam and MSSQL. To evade endpoint detection, they exploit legitimate Windows tools to load malicious drivers, disable security protections, and run encryption processes seamlessly. This ongoing threat underscores the persistent risk posed by stolen credentials and unpatched vulnerabilities, prompting SonicWall to strongly advise administrators to reset all VPN credentials and update firmware to safeguard against continued exploitation. The report highlights that even patched devices remain vulnerable if credentials are compromised, emphasizing the need for vigilant security practices.

Security Implications

Ongoing Akira ransomware campaigns targeting SonicWall SSL VPN devices exemplify a critical cyber risk with severe consequences, as threat actors exploit a known access control flaw (CVE-2024-40766) and leverage stolen credentials—sometimes even after security patches—highlighting vulnerabilities in patch management and credential safeguarding. Despite implementing multi-factor authentication (MFA), attackers are circumventing protections by hijacking stolen OTP seeds or discovering alternative methods to generate valid tokens, revealing weaknesses in MFA systems and the sophisticated techniques used by adversaries. Once inside, attackers swiftly move laterally, targeting key assets like backup servers and Active Directory, deploying tools like PowerShell scripts and malicious drivers to disable defenses and facilitate encryption, all within minutes of breach. These tactics underscore the evolving sophistication of ransomware threats, emphasizing the urgent need for rigorous credential management, timely patch application, and advanced security protocols to prevent exploitation, as even fully patched devices remain vulnerable due to credential theft and bypass strategies.

Possible Next Steps

When a compromising breach like the Akira ransomware attacking MFA-protected SonicWall VPN accounts occurs, rapid and effective remediation is crucial to prevent further damage, restore security, and safeguard sensitive data. Prompt action helps contain the threat before it propagates, minimizes downtime, and maintains organizational trust.

Mitigation Steps

  • Immediate Disconnection: Temporarily disconnect affected systems to halt ongoing activity
  • Credential Reset: Force password changes for impacted accounts and review MFA settings
  • Access Review: Conduct a thorough audit of account access logs for unauthorized activity
  • Threat Identification: Deploy antivirus, anti-malware tools, and network scanning to detect and isolate malicious files or behaviors

Remediation Steps

  • Patch & Update: Apply all relevant security patches to SonicWall devices and related systems
  • Vulnerability Mitigation: Address any identified security gaps that enabled the breach
  • Enhanced Security: Implement stronger MFA practices, such as hardware tokens or biometrics
  • User Education: Reinforce security protocols with staff to prevent social engineering or phishing exploits
  • Monitoring: Increase surveillance of network traffic and system logs for unusual activity
  • Incident Reporting: Notify relevant authorities and collaborate with cybersecurity experts for investigation and support

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.