SonicWall VPNs: MFA is No Longer Enough – The Rise of OTP Seed Theft and Rapid Ransomware Deployment

Nearly half of all environments now see passwords cracked during security assessments – a staggering 46%, nearly doubling from 25% last year. This alarming statistic underscores a fundamental shift in the threat landscape: traditional security measures, even multi-factor authentication (MFA), are increasingly insufficient. Recent attacks targeting SonicWall SSL VPN devices demonstrate a sophisticated evolution in ransomware tactics, where attackers are bypassing OTP MFA using stolen seeds, gaining rapid network access, and deploying ransomware like Akira with frightening speed.

The Akira Campaign and the CVE-2024-40766 Vulnerability

The ongoing attacks, initially reported in July, were initially suspected to exploit a zero-day flaw in SonicWall’s SSL VPN devices. However, SonicWall pinpointed the root cause as an improper access control vulnerability, CVE-2024-40766, disclosed in September 2024 and patched in August. Despite the patch, threat actors continue to leverage credentials harvested before the fix was applied. This highlights a critical vulnerability window and the long-term consequences of compromised credentials.

Bypassing MFA: The Stolen OTP Seed Problem

Recent research from Arctic Wolf reveals a disturbing trend: attackers are successfully logging into accounts even with one-time password (OTP) MFA enabled. Multiple OTP challenges are being issued and then successfully solved, strongly suggesting the compromise of OTP seeds – the secret keys used to generate the time-sensitive codes. Google Threat Intelligence Group (GTIG) has observed similar activity, tracking a financially motivated group, UNC6148, exploiting stolen OTP seeds on end-of-life SonicWall SMA 100 series appliances. This isn’t simply a case of cracking MFA; it’s a direct theft of the mechanism itself.

How are Attackers Obtaining OTP Seeds?

While the exact methods remain unclear, the prevailing theory centers around the initial exploitation of CVE-2024-40766. Attackers likely harvested credentials, including the crucial OTP seeds, during the period the vulnerability was active. These seeds are then reused, even after devices are patched, granting persistent access. The potential for zero-day exploits in the past, as suggested by Google, cannot be ruled out, but the current wave is demonstrably linked to previously stolen data.

Rapid Network Compromise and Targeted Data Theft

Once inside a network, the Akira ransomware affiliates move with alarming efficiency. Arctic Wolf reports internal network scanning occurring within as little as five minutes of initial access. Attackers are utilizing tools like Impacket for SMB session setup, RDP for remote access, and utilities like dsquery, SharpShares, and BloodHound for Active Directory reconnaissance. A particularly concerning focus is on Veeam Backup & Replication servers. A custom PowerShell script is deployed to extract and decrypt credentials stored within backups, including sensitive DPAPI secrets, effectively neutralizing a key recovery strategy.

BYOVD Attacks and Driver Abuse

To evade detection, attackers are employing Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques. This involves abusing Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that load vulnerable drivers (rwdrv.sys, churchill_driver.sys). These drivers disable endpoint protection, allowing the ransomware to encrypt data without interference. This sophisticated tactic demonstrates a high level of technical skill and a deliberate effort to bypass conventional security measures.

The Implications for Network Security

The SonicWall attacks serve as a stark warning: MFA is not a silver bullet. The compromise of OTP seeds represents a significant escalation in attack sophistication. Organizations relying solely on MFA, particularly for critical VPN access, are leaving themselves vulnerable. Even applying patches after a vulnerability is exploited isn’t enough if attackers have already harvested credentials. The fact that attacks are impacting devices running the recommended SonicOS 7.3.0 further underscores the severity of the situation.

The future of network security demands a layered approach. Beyond MFA, organizations must prioritize robust credential hygiene, continuous monitoring for compromised accounts, and proactive threat hunting. Zero Trust principles, where access is granted based on continuous verification rather than implicit trust, are becoming increasingly essential. Regularly rotating credentials, implementing strong password policies, and investing in advanced threat detection capabilities are no longer optional – they are critical for survival.

What steps are you taking to protect your organization from stolen credential attacks? Share your strategies and concerns in the comments below!