The Akira ransomware gang is now reportedly bypassing multi-factor authentication (MFA) protections on SonicWall VPN devices, according to a new report from cybersecurity firm Arctic Wolf. This development represents a serious escalation in the group’s tactics, as the criminals appear to be using stolen one-time password (OTP) seeds to successfully log in—even when MFA is fully enabled.
Arctic Wolf observed multiple incidents where SonicWall Secure Mobile Access (SMA) appliances were accessed despite OTP-based MFA being active. In each case, multiple OTP challenges were issued, but attackers still authenticated successfully, suggesting they had access to the correct OTP codes.
Background: Zero-Day Vulnerability and CVE-2024-40766
These incidents follow a wave of Akira ransomware attacks earlier this year that exploited an unknown vulnerability in SonicWall’s SMA VPN appliances. At the time, the method of initial access was unclear. However, SonicWall later confirmed the attackers were exploiting a zero-day vulnerability, now tracked as CVE-2024-40766, involving improper access control in the web management interface.
A patch was released in August 2024, and SonicWall urged customers to upgrade to the latest versions of SonicOS 7.1.1-7040 / 7.0.1-5146 and SMA 100 firmware to mitigate the issue. They also advised administrators to reset all user credentials for impacted VPN portals, particularly those not integrated with Active Directory.
However, Arctic Wolf’s new findings indicate that the threat actors may have already harvested OTP seed data during prior compromises—making even patched devices vulnerable if credentials were not rotated.
OTP MFA Bypass: What Researchers Observed
According to Arctic Wolf’s investigation:
- In multiple breach incidents, VPN user logins occurred with OTP MFA enabled.
- Multiple OTP prompts were issued, yet the login was ultimately successful.
- This behavior suggests that the attackers possessed valid OTP secrets or were able to generate valid tokens at will.
- The exploitation was not due to a new vulnerability, but likely stemmed from previously compromised credentials and OTP seeds.
This theory is supported by a June 2024 report from Google’s Threat Analysis Group (TAG) and Mandiant, which detailed how another threat group, UNC6148, used stolen OTP seeds to bypass MFA on SonicWall SMA 100 series devices—even when those systems were fully patched.
Post-Breach Activity: Fast and Aggressive Lateral Movement
Once initial access was achieved, Akira operators wasted no time escalating privileges and moving laterally within victim networks. Arctic Wolf reports that:
- Internal network scanning typically began within 5 minutes of VPN login.
- Attackers used tools like Impacket, RDP, and Active Directory enumeration utilities including:
dsquerySharpSharesBloodHound
- A high-priority target was the Veeam Backup & Replication server, a critical system used for managing backup infrastructure.The threat actors deployed custom PowerShell scripts to:
- Extract and decrypt credentials from Veeam, MSSQL, and PostgreSQL databases.
- Retrieve Data Protection API (DPAPI) secrets to further compromise systems.
Leave A Comment