Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully authenticating despite OTP MFA being enabled on accounts. Researchers suspect this may through the use of previously stolen OTP seeds, though the exact method remains unconfirmed at this time.
In July, BleepingComputer reported that the Akira ransomware operation was exploiting SonicWall SSL VPN devices to breach corporate networks, leading researchers to suspect that a zero-day flaw was being exploited to compromise these devices.
However, SonicWall ultimately linked the attacks to an improper access control flaw tracked as CVE-2024-40766 that was disclosed in September 2024.
While the flaw was patched in August 2024, threat actors have continued to use credentials previously stolen from exploited devices, even after the security updates were applied.
After linking the attacks to credentials stolen using CVE-2024-40766, SonicWall urged administrators to reset all SSL VPN credentials and ensure that the latest SonicOS firmware was installed on their devices.
New research shows MFA bypassed
Cybersecurity firm Arctic Wolf now reports observing an ongoing campaign against SonicWall firewalls, where threat actors are successfully logging into accounts even when one-time password (OTP) multi-factor authentication is enabled.
The report indicates that multiple OTP challenges were issued for account login attempts, followed by successful logins, suggesting that threat actors may have also compromised OTP seeds or discovered an alternative method to generate valid tokens.
Successfully solving one-time passcode MFA challenges
Source: Arctic Wolf
... continue reading