Alert: Akira Ransomware Bypasses MFA on SonicWall VPNs to Breach Networks
Multi-factor authentication (MFA) is widely considered a cornerstone of modern cybersecurity, designed to protect sensitive accounts even if passwords are compromised. However, a recent wave of attacks demonstrates that even this robust defense can be circumvented by sophisticated threat actors. The Akira ransomware group is now actively targeting corporate networks by exploiting a vulnerability in SonicWall’s Secure Connect VPNs, successfully gaining access even when MFA is enabled.
This development is a critical warning for organizations relying on SonicWall VPNs for secure remote access. The attacks highlight a dangerous reality: threat actors are continuously evolving their methods to bypass foundational security measures.
How Akira Is Bypassing Multi-Factor Authentication
Security researchers have observed Akira ransomware affiliates gaining initial access to enterprise networks through SonicWall VPN appliances. The most alarming aspect of these intrusions is that the attackers are bypassing correctly configured MFA protocols. While the exact technical method is still under investigation, the evidence points toward a significant flaw rather than a simple misconfiguration.
The prevailing theory is that the attackers are exploiting an unknown vulnerability within the VPN software itself. This allows them to bypass the MFA check entirely, making the second-factor authentication prompt irrelevant. This method is particularly insidious because it requires no interaction from the targeted user, meaning the victim receives no push notification or request for a code, leaving them completely unaware of the breach.
Once inside the network, the attackers follow the standard ransomware playbook:
- Lateral Movement: Spreading across the network to identify and access high-value systems.
- Data Exfiltration: Stealing sensitive corporate data for double-extortion tactics.
- Encryption: Encrypting critical files and servers, grinding business operations to a halt.
By targeting a widely used VPN appliance, the Akira group has created a scalable method for breaching organizations that believed their remote access points were secure.
Actionable Steps to Secure Your SonicWall VPN
Defending against such a sophisticated threat requires immediate and proactive measures. If your organization uses SonicWall VPNs, it is crucial to act now to mitigate this risk.
Immediately Apply Security Patches: The single most important step is to ensure your SonicWall firmware is up to date. Check for and apply all available security advisories and patches from the vendor without delay. Threat actors thrive on exploiting unpatched vulnerabilities.
Monitor VPN Access Logs: Actively review your VPN logs for any signs of suspicious activity. Look for logins from unrecognized IP addresses, multiple failed login attempts from a single user, or successful logins at unusual hours. Anomalous login patterns can be an early indicator of a compromise.
Strengthen Credential Security: While this attack may bypass MFA, strong password hygiene remains essential. Enforce a strict password policy and ensure no service accounts are using default or easily guessable credentials. A compromised password could still provide attackers with the initial foothold they need.
Implement Network Segmentation: A flat network is an attacker’s playground. Use network segmentation to limit an attacker’s ability to move laterally if they breach the perimeter. By containing a potential intrusion to a small segment of the network, you can significantly reduce the overall damage of an attack.
Prepare an Incident Response Plan: Assume a breach is not a matter of if, but when. Ensure your organization has a well-documented and practiced incident response plan. This plan should outline the specific steps to take to isolate affected systems, eradicate the threat, and restore operations from backups.
The evolution of ransomware tactics, as demonstrated by the Akira group, serves as a stark reminder that cybersecurity is a continuous process. Relying on a single layer of defense, even one as strong as MFA, is no longer sufficient. Organizations must adopt a defense-in-depth strategy, stay vigilant about patching, and constantly monitor their networks for signs of intrusion.
Source: https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/
