Sonicwall SSL VPN devices target the Akira ransomware attacks continue to develop, in which danger actors have been successfully certified despite being capable of OTP MFAs. Researchers suspect that this may occur through the use of already stolen OTP seeds, although the exact method is unconfirmed at this time.
In July, Bleepingcomputer reported that the Akira ransomware operation was exploiting Sonicwall SSL VPN devices to dissolve the corporate network, which suspected researchers to suspect that a zero-day defects were being exploited to compromise these devices.
However, Sonicwall eventually linked the attacks to an inappropriate access control flu, which was tracked as CVE -2024–40766, which was revealed in September 2024.
While the defect was patched in August 2024, the danger actors continue to use the stolen credibility before the exploited equipment, even after the security updates were implemented.
After connecting the stolen credentials using CVE-2024–40766, Sonicwall urged the administrators to reset all SSL VPN credentials and ensure that the latest Sonicos firmware was installed on their devices.
New research shows that MFA has been bypassed
Cybercity firm Arctic Wolf now reports while observing the ongoing campaign against Sonicwall Firewall, where the danger actors are successfully logging into accounts even if they are able to pass the password (OTP) multi-factor authentication once.
The report states that several OTP challenges were issued for account login efforts, followed by successful login, suggesting that the danger actors may have compromised with OTP seeds or have discovered an alternative method to generate legitimate tokens.
Source: Arctic Wolf
“Sonicwall Link This campaign saw malicious logins Cve-2024-40766An improper access control vulnerability was identified a year ago, ” Arctic wolf explains,
“From this perspective, credentials would have been probably cut from unsafe devices for CVE-2024-40766 and later used by danger actors-those similar equipment was patched. In the current campaign, the actors of the danger were successfully proved against the accounts with a one-time password (OTP) MFA facility.”
While researchers say it is not clear how Akira colleagues are certified for MFA-protected accounts, a separate report of the Google Danger Intelligence Group in July has described the similar misuse of Sonicwall VPNS.
In that campaign, an economically inspired group was tracked as UnC6148, which deploys oversteep routekit on SMA 100 series devices, which they believe that OTP seeds are already stolen, allowing access even after the patch is implemented.
Google believes that the danger actors were using a time-time password seeds that were earlier obtained in zero-day attacks, but are uncertain that CVE was exploited.
“Google Danger Intelligence Group (GTIG) has identified an ongoing campaign by a suspected economically motivated actor with an ongoing campaign that we track as UnC6148, completely targeting. At the end Sonicwall Secure Mobile Access (SMA) 100 series tools, “Google warned.
“GTIG assesses with high confidence that UNC6148 is taking advantage of the stolen credentials and one-time password (OTP) seeds during the previous infiltration, allowing organizations to allow them to reach even after the security updates are implemented.”
Once inside, the Arctic Wolf reports that Akira has gone very quickly, often scan the internal network within 5 minutes. Researchers noted that the danger actors calculated the impacted SMB session setup requests, RDP login and active directory items for calculating active directors objects using tools such as DSCURIs, Sharpashairs and Bloodhounds.
A special attention was on the Veeam backup and replication server, where a custom powershel script was deployed to remove and decrypta the MSSQL and Postgresql credentials stored with DPAPI secrets.
To avoid safety software, colleagues misused the valid consent of Microsoft and attacked a bring-yor-vulnable-driver (byovd). Executable to side to side.
These drivers were used to disable closing point security processes, allowing ransomware encrypters to run without blocking.
The report emphasized that some of these attacks affected the equipment running Sonicos 7.3.0, which the recommended release Sonicwall has urged the Admins to set up to reduce credential attacks.
Admins are strongly urged to reset all VPN credentials on any device that first uses weak firmware, such as even when updated, the attackers can continue to use stolen accounts to get early access to corporate networks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
