Back to News
Market Impact: 0.65

Akira ransomware breaching MFA-protected SonicWall VPN accounts

GOOGLGOOGMSFT
Cybersecurity & Data PrivacyTechnology & Innovation
Akira ransomware breaching MFA-protected SonicWall VPN accounts

Akira ransomware groups are successfully bypassing OTP multi-factor authentication on SonicWall SSL VPNs, utilizing credentials and potentially OTP seeds harvested from a previously exploited improper access control flaw (CVE-2024-40766). This persistent vulnerability allows threat actors to regain access even after organizations apply patches and update firmware, as evidenced by rapid internal network compromise and endpoint protection disabling. The situation underscores a critical need for comprehensive VPN credential resets on any previously vulnerable devices, as patching alone is insufficient to mitigate ongoing access risks.

Analysis

The Akira ransomware campaign is demonstrating a significant evolution in attack persistence, successfully bypassing one-time password (OTP) multi-factor authentication on SonicWall SSL VPN devices. The core issue stems not from a new zero-day, but from the attackers' use of credentials and suspected OTP seeds stolen via a previously patched improper access control vulnerability, CVE-2024-40766. This allows threat actors to regain access to corporate networks even after security updates, including the recommended SonicOS 7.3.0 firmware, have been applied. Post-breach activity is rapid and sophisticated, with internal network scanning commencing within five minutes and the deployment of advanced evasion techniques, such as a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack that abuses a legitimate Microsoft executable (consent.exe) to disable endpoint protection. The attackers show a clear focus on critical infrastructure by targeting Veeam Backup & Replication servers to extract further credentials. The findings, corroborated by both Arctic Wolf and Google's Threat Intelligence Group, underscore that patching alone is an insufficient mitigation strategy, elevating the operational risk for any enterprise that has ever utilized a vulnerable SonicWall device.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

strongly negative

Sentiment Score

-0.85

Ticker Sentiment

GOOG0.00
GOOGL0.00
MSFT0.00

Key Decisions for Investors

  • The demonstrated MFA bypass and persistence techniques reinforce a bullish outlook on cybersecurity firms specializing in advanced identity and access management (IAM), privileged access management (PAM), and endpoint detection and response (EDR), as legacy security controls are proving inadequate.
  • Investors should scrutinize portfolio companies for dependence on SonicWall VPN appliances, as the required remediation—a full credential and OTP seed reset—presents a material risk of operational disruption and indicates a heightened vulnerability to business interruption.
  • This incident highlights the critical importance of zero-trust security architectures; favor investments in companies that demonstrate mature internal security postures, including rigorous credential lifecycle management and defense-in-depth, as these are key differentiators for operational resilience against sophisticated threats.