Ongoing attacks by the Akira ransomware operation have successfully authenticated to SonicWall SSL VPN accounts protected by one-time password (OTP) multi-factor authentication, cybersecurity firm Arctic Wolf said, and researchers suspect the activity may involve previously stolen OTP seeds though the exact method remains unconfirmed.
SonicWall has linked the malicious logins to an improper access control vulnerability tracked as CVE-2024-40766 and the vendor has urged administrators to install updates and reset SSL VPN credentials, the company said in a notice linking the activity to the incident.
Arctic Wolf reported that multiple OTP challenges were issued for account login attempts that were subsequently accepted, suggesting that threat actors may have harvested OTP seeds or found an alternative way to generate valid tokens, although the firm said the precise authentication mechanism remains unclear.
A separate July report from Google Threat Intelligence Group described a related campaign by a financially motivated actor the company tracks as UNC6148 and said it assessed with high confidence that the group was leveraging credentials and one-time password seeds stolen during prior intrusions to regain access to fully patched, end-of-life SonicWall SMA 100 series appliances.
Once inside, Arctic Wolf said affiliates often scanned internal networks within minutes, used Impacket SMB session setup requests, RDP logins and Active Directory enumeration tools, and targeted Veeam Backup & Replication servers with custom PowerShell to extract database credentials and DPAPI secrets. The firm also reported attackers abusing Microsoft’s consent.exe to sideload malicious DLLs that loaded vulnerable drivers and disable endpoint protection. Researchers and vendors are urging organisations to install recommended SonicOS releases (the report noted some attacks affected SonicOS 7.3.0) and reset any VPN credentials that may have been exposed.