Security researchers warn that the Akira ransomware group is still actively exploiting a year-old SonicWall vulnerability (CVE-2024-40766) for initial access, while relying on pre-installed and legitimate tools to evade detection. This vulnerability, a critical access control flaw with a CVSS score of 9.3, was patched in August 2024, yet Akira continues to target systems that remain unpatched.

Over the past three months, Akira attacks have focused on SSL VPN accounts using one-time passwords (OTP) for multi-factor authentication (MFA). According to Arctic Wolf, dozens of incidents show common indicators such as VPN logins from VPS hosting providers, network scanning, Impacket SMB activity for endpoint discovery, and Active Directory reconnaissance.

The evidence suggests that multiple actors or affiliates may be involved, using automation for authentication and leveraging readily available tools for lateral movement and network exploration. While it remains unclear how Akira bypassed MFA, SonicWall confirmed that devices running SonicOS versions prior to 7.3 “may have been vulnerable to brute force attacks affecting MFA credentials.”

Arctic Wolf notes that the ransomware demonstrates extremely short dwell times—measured in hours rather than days—making rapid detection and response crucial. By monitoring logins from certain hosting-related ASNs and detecting unexpected SMB activity, organizations can disrupt intrusions early.

In one analyzed attack, Barracuda observed that Akira affiliates exploited pre-installed and legitimate utilities, including the Datto Remote Monitoring and Management (RMM) tool installed on a domain controller. Attackers leveraged the RMM console alongside existing backup agents to execute the attack without triggering alerts for new software installations or suspicious activity.

Using Datto, the attackers ran PowerShell scripts to gain full control over the server, modified registries to disable security features, and deployed scripts that altered firewall rules. Barracuda explains:

“The attackers didn’t deploy sophisticated new malware. Instead, they used existing tools — the Datto RMM and backup agents — making their activity mimic normal IT operations.”

This approach allowed Akira operators to stay under the radar, demonstrating how ransomware groups are increasingly relying on legitimate software to carry out attacks while avoiding traditional detection mechanisms. Organizations are urged to patch vulnerable systems immediately, monitor unusual activity, and strengthen MFA enforcement to mitigate ongoing threats.

Source: https://www.securityweek.com/akira-ransomwares-exploitation-of-sonicwall-vulnerability-continues