Attacks on SonicWall firewalls: Akira ransomware defies MFA
Attackers are still targeting SonicWall firewalls. Successful attacks even take place despite active multi-factor authentication.
In the course of current attacks, attackers are pushing the Akira blackmail Trojan onto SonicWall firewalls. They cannot be stopped by multi-factor authentication (MFA). It is not yet clear how they can access protected systems.
Background information
Security researchers from Artic Wolf have summarized their current knowledge in an article. The attacks have been going on since August of this year and have continued to flare up ever since. The starting point is a “critical” vulnerability (CVE-2024-40766) in the SSL VPN component, which affects the firewalls of the Gen 5, Gen 6, and Gen 7 series listed in a warning message from the manufacturer.
SonicWall assures that issues 5.9.2.14-13o, 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800), 6.5.4.15.116n (for other Gen6 firewall appliances), and 7.0.1-5035 are secured. However, it appears that admins have still not installed the security updates across the board, so attackers are still discovering vulnerable instances.
Current attacks
In addition to installing the patches, SonicWall also advises securing devices with MFA. In addition to the password, you also need a one-time password (OTP) to log in, which is usually generated by an authenticator app. The security researchers now state that the attackers successfully attack firewalls despite active MFA.
Currently, they cannot explain how this happens. In their report, they refer to a similar incident analyzed by the Google Threat Intelligence Group. In this case, they come to the conclusion that the perpetrators are very likely in possession of the secret to create valid OTPs themselves.
Videos by heise
As Artic Wolf has stated that it has not discovered any evidence of configuration changes, it seems likely that the attackers in the current case also issued valid OTPs on their initiative. However, this has not yet been confirmed.
Admins should urgently install the security updates. They should also keep an eye out for suspicious accounts and reset access data for security reasons.
(des)
