The Akira ransomware group continues to exploit a year-old SonicWall vulnerability for initial access and relies on pre-installed and legitimate tools to evade detection, security researchers warn.
Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766 (CVSS score of 9.3), an improper access control issue in SonicWall firewalls that was patched in August 2024.
Akira’s campaign, Arctic Wolf warns in a fresh report, remains active, as the ransomware operators are successfully targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option.
Arctic Wolf says it observed dozens of incidents that can be tied together by VPN client logins originating from VPS hosting providers, network scanning, Impacket SMB activity for endpoint discovery, and Active Directory discovery.
Artifacts collected from these intrusions suggest that multiple threat actors or affiliates might have been involved, that automation was used for authentication, and that readily available tools were used for discovery and lateral movement.
The cybersecurity firm also points out that, while it is unclear how the attackers were able to circumvent MFA, SonicWall confirmed in August that devices running SonicOS versions prior to 7.3 “may have been susceptible to brute force attacks affecting MFA credentials”.
“With dwell times measured in hours rather than days—among the shortest we’ve recorded for ransomware—the window for effective response against this threat is exceptionally narrow. By detecting unexpected logins from a handful of hosting-related ASNs and identifying Impacket SMB activity over the network, intrusions can be disrupted at an early stage,” Arctic Wolf notes.
In one attack analyzed by Barracuda, the Akira affiliates were seen leveraging various pre-installed and legitimate utilities, which allowed them to stay under the radar. They also used the Datto remote monitoring and management (RMM) tool, installed on a domain controller.
“They homed in on the RMM tool’s management console and used it, together with several previously installed backup agents, to implement the attack without triggering a security alert for a new software install or suspicious activity,” Barracuda explains.
The hackers used Datto to execute a PowerShell script to gain full control over the server, then ran additional tools, modified registries to evade detection and turn off security features, and dropped various files, including scripts that modified firewall rules.
“The attackers didn’t deploy sophisticated new malware or tools that would immediately raise red flags. Instead, they used what was already there — the Datto RMM and the backup agents. […] The attacker’s activity closely mirrored what a backup agent might legitimately do during scheduled jobs. This made everything look like regular IT activity,” Barracuda notes.
Related: Volvo Group Employee Data Stolen in Ransomware Attack
Related: Fintech Firm Wealthsimple Says Supply Chain Attack Resulted in Data Breach
Related: Recent SAP S/4HANA Vulnerability Exploited in Attacks
