Akira Ransomware Bypasses MFA on SonicWall VPNs: A Critical Security Alert
Multi-Factor Authentication (MFA) is widely regarded as a cornerstone of modern cybersecurity, providing a vital layer of defense against unauthorized access. However, a recent campaign by the notorious Akira ransomware group demonstrates that even MFA can be bypassed if the underlying infrastructure is vulnerable. Cybercriminals are actively exploiting a critical vulnerability in unpatched SonicWall Secure Mobile Access (SMA) VPN appliances to infiltrate corporate networks, completely sidestepping MFA protections.
This sophisticated attack highlights a dangerous reality: MFA is only as secure as the system it is running on. By targeting firmware flaws, attackers can gain initial access without needing to steal passwords or trick users into approving an authentication request.
How the Attack Works: Exploiting a Known Vulnerability
The Akira ransomware group is not “breaking” MFA itself. Instead, they are targeting specific, known vulnerabilities in SonicWall SMA 100 series appliances. These security flaws allow attackers to gain access to a network by stealing session cookies, effectively hijacking a user’s authenticated session after they have already logged in.
Here’s the critical takeaway: The attack allows threat actors to bypass the MFA requirement entirely by exploiting a weakness in the VPN device itself. This method is particularly insidious because it leaves no trace of a brute-force attack or failed login attempts, making it much harder to detect through traditional monitoring. Once inside the network, the attackers move laterally, escalate privileges, and ultimately deploy their ransomware to encrypt critical files and demand a ransom.
Is Your Organization at Risk?
This campaign specifically targets organizations using SonicWall Secure Mobile Access (SMA) 100 series VPN appliances. The primary risk factor is running outdated and unpatched firmware. If your organization uses these devices for remote access and has not diligently applied the latest security updates, you are a prime target for this attack.
The consequences of a successful breach are severe, including:
- Complete network compromise and encryption of critical data.
- Data exfiltration, where sensitive company and customer information is stolen.
- Significant financial loss from ransom payments and operational downtime.
- Long-term reputational damage.
Critical Security Measures to Protect Your Network
Immediate action is required to defend against this threat. Relying on MFA alone is not enough. Follow these essential steps to secure your SonicWall VPNs and protect your organization from an Akira ransomware attack.
Patch Immediately: The single most important step is to update all SonicWall SMA 100 series appliances to the latest patched firmware version. SonicWall has released patches to address the vulnerabilities being exploited. Delaying this update leaves your network wide open to attack.
Reset User Credentials: As a precaution, it is highly recommended to force a password reset for all user accounts that connect through the VPN, especially for administrators and other privileged users. If a device was vulnerable, you must assume that credentials could have been compromised.
Review Access Logs for Suspicious Activity: Even after patching, you should thoroughly investigate VPN access logs for any signs of compromise. Look for unusual login times, connections from unfamiliar IP addresses or geographic locations, or multiple concurrent sessions for a single user. These could be indicators of an existing breach.
Enhance Network Monitoring and Segmentation: Go beyond the perimeter. Implement robust internal network monitoring and Endpoint Detection and Response (EDR) solutions to quickly identify and contain suspicious lateral movement. Network segmentation can also limit an attacker’s ability to move from the initial entry point to critical servers and data stores.
In today’s evolving threat landscape, it is crucial to understand that vulnerabilities in network appliances are a gateway to catastrophic breaches. Proactive patching, vigilant monitoring, and a defense-in-depth security strategy are no longer optional—they are essential for survival.
Source: https://securityaffairs.com/182732/cyber-crime/akira-ransomware-bypasses-mfa-on-sonicwall-vpns.html
