Researchers are warning of a significant surge in Akira ransomware activity, specifically targeting SonicWall SSL VPN users. This campaign is not only active but also continuously evolving, with new infrastructure being rotated through often. 

This aggressive approach aligns with Akira's historical tactics of exploiting VPN infrastructure as an initial access vector, previously seen with vulnerabilities such as the Cisco ASA  CVE-2023-20269 flaw and Cisco AnyConnect CVE-2020-3259 bug, according to new analysis from Arctic Wolf.

Here’s what’s happening:

  • Credential Theft: Attackers are compromising SSL VPN accounts through the use of credentials that were probably exfiltrated via exploitation of CVE-2024-40766, a critical access control bug in SonicOS. Disturbingly, this includes accounts protected with MFA. This highlights the critical need for robust credential management and a layered security approach.
  • Short time from compromise to ransomware deployment: A particularly alarming aspect of this campaign is the speed of compromise. In a slew of recent intrusions observed by Arctic Wolf, attackers have moved from initial credential access to ransomware deployment in less than four hours. 

To evade detection, the Akira ransomware actors are actively rotating their VPS-based client infrastructure. Also, the campaign's victims span a diverse range of industries and organizational sizes, which is pretty common in ransomware campaigns that rely on stolen credentials and/or one specific vulnerability for initial access.

SonicWall researchers said this campaign is likely connected to past exploitation of CVE-2024-40766, and not attacks targeting a zero day. 

“We now have high confidence that the recent SSLVPN activity is not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed,” SonicWall said.

This could mean that devices running previously vulnerable firmware versions may have been silently compromised, with the exfiltrated credentials being used in these later attacks.

This Akira ransomware campaign doesn’t appear to be connected to the recently disclosed MySonicWall incident, either. 

“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets. This includes both local firewall accounts and LDAP-synchronized Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle,” Arctic Wolf said.

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.