SOC GoulashIt's been a bit quiet over the last 24 hours, but we have a significant update on the Akira ransomware group's evolving tactics, particularly their ability to bypass MFA on SonicWall VPNs. Let's dive in:
Akira Ransomware Bypassing MFA on SonicWall VPNs ⚠️
- Akira ransomware affiliates are actively breaching SonicWall SSL VPNs, successfully authenticating even when one-time password (OTP) multi-factor authentication is enabled.
- This bypass is believed to stem from the use of credentials and OTP seeds previously stolen via the improper access control vulnerability CVE-2024-40766, allowing threat actors to regain access even after devices have been patched.
- Once inside, Akira moves quickly, performing internal network scanning, enumerating Active Directory, targeting Veeam servers for credential extraction, and employing Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to disable endpoint protection. Admins are urged to reset all VPN credentials on any device that previously used vulnerable firmware.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/
#CyberSecurity #ThreatIntelligence #Ransomware #Akira #SonicWall #VPN #MFA #Vulnerability #CVE202440766 #BYOVD #IncidentResponse #InfoSec
The DefendOps Diaries