Allow me to share with you a bizarre story. Hackers utilizing Akira ransomware have infiltrated SonicWall VPN accounts, even when businesses have enabled MFA (multi-factor authentication). MFA is meant to be the safety net, correct? But in this instance, it doesn’t suffice.
Now the danger: researchers found that hackers logged in with MFA active.
How? The attackers may have taken the secret codes (OTP seeds) that produce the MFA passcodes. And if the attackers have secret codes, they can create their own valid passcodes.
Plus there is an associated bug, CVE-2024-40766; this was a defect in SonicWall’s software that the hackers exploited to steal login credentials. SonicWall patched CVE-2024-40766 in August 2024, but if attackers were able to steal the secrets prior to the patch, those attackers can still exploit it for today’s rebound credentials.
• Step 1: Utilize the SonicWall tool in a way that provides them access and data to accounts.
• Step 2: Compromise the MFA secret seeds to create passcodes that are valid.
• Step 3: Gain access to the VPN as an authenticated user (the MFA still “works” for them).
• Step 4: Conduct reconnaissance on the company’s internal network while looking for backdoors.
• Step 5: Utilize password managers or databases to obtain more logins.
• Step 6: Disable antivirus tools using publicly available Windows drivers.
• Step 7: Deploy ransomware, encrypting files while the company experiences a breach.
That completes the full chain of events — quite smooth (and with evil intent) from the hacker's perspective.
MFA won't help you if the attacker gets the seeds; it's like having a keyhole on the door with thieves already in possession of your spare key.
2. Updating is not enough
Not only does the SonicWall software need updating, but be sure to reset all usernames, passwords, and MFA codes; even up to date software can still be broken if a hacker has old username/password/MFA codes.
3. Be mindful of odd behavior
Companies should:
• Monitor for unusual logins; like VPNs.
• Limit who can access VPN.
• Have separate networks to ensure one used account does not grant access to everything.
• Look for any sign of scanning or shut off antivirus.
To those who have SonicWall or know someone with SonicWall: patch your systems, reset your accounts, and stay hyper vigilant. It's always better to be cautious than to be locked out from your systems due to ransom.
So What Is Happening?
SonicWall’s VPN is regularly deployed for secure remote access, and typically once you have added MFA (one-time passcodes), you think you are safe.Now the danger: researchers found that hackers logged in with MFA active.
How? The attackers may have taken the secret codes (OTP seeds) that produce the MFA passcodes. And if the attackers have secret codes, they can create their own valid passcodes.
Plus there is an associated bug, CVE-2024-40766; this was a defect in SonicWall’s software that the hackers exploited to steal login credentials. SonicWall patched CVE-2024-40766 in August 2024, but if attackers were able to steal the secrets prior to the patch, those attackers can still exploit it for today’s rebound credentials.
How The Attack Is Conducted
This is a simple, step-by-step summary of activities performed by hackers:• Step 1: Utilize the SonicWall tool in a way that provides them access and data to accounts.
• Step 2: Compromise the MFA secret seeds to create passcodes that are valid.
• Step 3: Gain access to the VPN as an authenticated user (the MFA still “works” for them).
• Step 4: Conduct reconnaissance on the company’s internal network while looking for backdoors.
• Step 5: Utilize password managers or databases to obtain more logins.
• Step 6: Disable antivirus tools using publicly available Windows drivers.
• Step 7: Deploy ransomware, encrypting files while the company experiences a breach.
That completes the full chain of events — quite smooth (and with evil intent) from the hacker's perspective.
Why This Matters
1. MFA won't protect youMFA won't help you if the attacker gets the seeds; it's like having a keyhole on the door with thieves already in possession of your spare key.
2. Updating is not enough
Not only does the SonicWall software need updating, but be sure to reset all usernames, passwords, and MFA codes; even up to date software can still be broken if a hacker has old username/password/MFA codes.
3. Be mindful of odd behavior
Companies should:
• Monitor for unusual logins; like VPNs.
• Limit who can access VPN.
• Have separate networks to ensure one used account does not grant access to everything.
• Look for any sign of scanning or shut off antivirus.
My take
This attack illustrates a simple truth: no one defensive measure is infallible. I used to feel invulnerable with MFA in place, but if I somehow lose my core secret MFA was protecting, it was an illusion. It's like hiding a spare key to your house under a mat — there is comfort in having it there, until someone rather innocently moves the mat.To those who have SonicWall or know someone with SonicWall: patch your systems, reset your accounts, and stay hyper vigilant. It's always better to be cautious than to be locked out from your systems due to ransom.
