Akira attacks on an improper access control flaw in SonicWall SSL VPN firewalls have continued despite the vendor issuing a patch last year and deploying a one-time password (OTP) multi-factor authentication (MFA) feature on Aug. 4.In a Sept. 26 blog post, ArcticWolf researchers said SonicWall links the attacks to CVE-2024-40766, a critical 9.3 bug identified more than a year ago.While SonicWall recently disclosed an incident involving its MySonicWall cloud backup service. ArticWolf researchers said there’s no evidence that this OTP-MFA campaign is linked to the MySonicWall case at this time.The ArcticWolf researchers said in response to the most recent OTP-MFA incident, security teams should monitor for VPN logins originating from untrusted hosting infrastructure. Equally important: teams should ensure visibility into internal networks, since lateral movement and ransomware encryption can occur within hours or even minutes of initial access.“In the case of this recent campaign the researchers have linked [but have not confirmed] the malicious logins back to previously exploited vulnerabilities which may have exposed credentials or OTP codes,” said James Maude, Field CTO at BeyondTrust. “These risks are all too common with identities and secrets compromised in one campaign being reused later in another. Given the complexities of the modern identity landscape, it’s all too easy for attackers to exploit identities and use them to cross organizational and technological silos by exploiting the paths to privilege associated with those identities."
Maude added that while the potential exploitation of OTPs is relatively novel, it highlights how many MFA controls are not as secure against identity attacks as organizations believe. The recent increases in Adversary in the Middle (AitM) attacks have shown how weaker forms of MFA are easily bypassed and sessions can be hijacked."This increases the need to think about the identity attack surface and not only reduce standing privilege, but use more secure phishing resistant forms of MFA such as FIDO2," said Maude.
Maude added that while the potential exploitation of OTPs is relatively novel, it highlights how many MFA controls are not as secure against identity attacks as organizations believe. The recent increases in Adversary in the Middle (AitM) attacks have shown how weaker forms of MFA are easily bypassed and sessions can be hijacked."This increases the need to think about the identity attack surface and not only reduce standing privilege, but use more secure phishing resistant forms of MFA such as FIDO2," said Maude.
