Akira Ransomware Bypassing OTP-Protected SonicWall SSL VPN Accounts — What Practitioners Need to Know

Overview of the incident

Security researchers tracking ongoing attacks by the Akira ransomware group report the actors have been successfully authenticating to SonicWall SSL VPN accounts even when one-time passcode (OTP) multi-factor authentication (MFA) is enabled. Initial analysis suggests the likely use of previously stolen OTP seeds as one possible mechanism, but the exact technique for defeating MFA in these incidents remains unconfirmed.

Researchers suspect this may be through the use of previously stolen OTP seeds, though the exact method remains unconfirmed at this time.

The reported activity is focused on SonicWall SSL VPN appliances and is part of a broader pattern of threat actors targeting remote-access infrastructure as an initial access vector for ransomware operations.

Background and why this matters

VPN appliances and remote access portals are high-value targets. They provide direct access to corporate networks and are often reachable from the public internet. When threat actors successfully access a VPN account, they can move laterally, harvest credentials, deploy ransomware, and exfiltrate data.

MFA is widely recommended and deployed precisely to reduce the risk of such compromises. A successful authentication despite OTP-based MFA therefore represents a material escalation: it demonstrates that an adversary can defeat an important defensive control and reach internal resources that organizations assume are protected.

• Remote access gateways (SSL VPNs) are frequent targets because they often sit at the network perimeter and may be unpatched or misconfigured.
• OTP-based MFA relies on a secret seed — if that secret is exposed, the second factor is effectively compromised.
• Ransomware actors typically chain several techniques — from credential harvesting and VPN access to lateral movement and encryption — so bypassing MFA can accelerate and widen impact.

Expert commentary and technical analysis for practitioners

From an operational-security perspective, the Akira activity reinforces several long-standing realities:

• Multi-factor authentication reduces risk but is not a panacea. The security of OTP-based MFA depends on protecting the secret seeds and enrollment processes.
• Attackers combine availability of credentials, seeded secrets, session token theft, and social engineering to bypass protections. Absent strong, phishing-resistant factors (e.g., FIDO2 hardware keys, certificate-based authentication), risk remains.
• Appliances exposed to the internet require aggressive patching, monitoring, and segmentation. A perimeter device compromise often yields fast, high-impact access into internal environments.

Practitioners should consider the following investigative priorities when responding to suspected MFA bypasses on VPN appliances:

• Collect and preserve appliances logs (authentication logs, administrative actions, configuration changes) and correlate with firewall and proxy logs to trace lateral movement.
• Review MFA provisioning and enrollment events. Look for unexpected re-enrollments, seed exports, or administrative changes that could indicate seed compromise or unauthorized MFA resets.
• Identify anomalous login patterns: logins from new or foreign IP addresses, logins at unusual hours, multiple sessions for the same account, and rapid IP hopping.
• Inspect endpoint telemetry and domain controllers for post-authentication activity — account abuse frequently proceeds quickly to credential dumping and lateral tools.

Comparable cases and observable trends

While details of this specific Akira activity are still emerging, the broader trend is well-documented and non-controversial: adversaries continue to target remote access solutions and look for ways around multifactor protections.

• Ransomware and other extortion groups have repeatedly exploited VPN appliances and other remote-access technology to gain initial ingress.
• Techniques to defeat or bypass MFA reported in prior incidents include credential theft, session hijacking, social-engineered MFA push approvals (MFA fatigue), and theft of MFA seeds or tokens.
• Security guidance from industry groups has emphasized moving toward phishing-resistant MFA (public-key based) and applying strict controls on remote-access appliances because simple OTPs, while better than passwords alone, can be undermined if an adversary possesses the secret or the session token.

Potential risks, implications, and prioritized recommendations

Risk and implications

• If an attacker can authenticate to VPNs that organizations believe are protected by MFA, they may gain immediate access to internal resources, unprotected hosts, and backups — increasing the likelihood of rapid, high-impact ransomware deployment.
• Compromise of OTP seeds or the MFA enrollment process can lead to long-lived, stealthy access that is difficult to detect without targeted telemetry and good logging practices.
• Exposure of remote access appliances can result in broader regulatory and business impacts due to data theft, operational disruption, and potential extortion.

Actionable recommendations (prioritized)

• Immediate containment and triage
  • Isolate affected VPN appliances from the internet and internal networks if compromise is suspected; preserve forensic images and logs.
  • Force a password reset and immediate MFA re-enrollment for accounts suspected to be compromised; revoke sessions and tokens.
• Short-term mitigations
  • Apply the latest firmware and security patches to SonicWall appliances and other perimeter devices.
  • Restrict administrative access to management interfaces (jump hosts, dedicated admin subnets, IP allowlists, and MFA for admin actions).
  • Implement conditional access rules where possible (geo-fencing, device posture checks, time-of-day restrictions).
• Medium- and long-term hardening
  • Migrate from OTP-based MFA to phishing-resistant methods (FIDO2/WebAuthn hardware tokens or certificate-based authentication) for high-risk accounts and administrative users.
  • Enforce least privilege and network segmentation so a single VPN account cannot access critical management networks or backups.
  • Require endpoint detection and response (EDR) on devices used to access VPNs and enforce strong device hygiene (patching, disk encryption).
  • Implement centralized logging and SIEM detection rules tuned for remote-access anomalies and MFA-related anomalies (e.g., sudden successful OTPs after many failures, concurrent sessions).
• Detection and monitoring improvements
  • Monitor for unusual administration events on VPN appliances (configuration exports, new accounts, unexpected MFA provisioning).
  • Track and alert on new persistent sessions, rapid geographic changes in login locations, and atypical service account usage.
• Incident response and readiness
  • Prepare playbooks specifically for perimeter appliance compromises and MFA bypass scenarios; rehearse with tabletop exercises.
  • Engage vendors and external incident response partners early when device compromise is suspected.

Conclusion

The reports of Akira operators authenticating to SonicWall SSL VPN accounts despite OTP-based MFA underscore a critical lesson: MFA is an essential control but must be part of layered defenses, not a single point of reliance. Organizations should urgently validate the integrity of MFA enrollment and secret management, apply appliance patches, and accelerate adoption of phishing-resistant authentication for high-risk accounts. Detection, rapid containment, and the ability to re-provision credentials and tokens are key to limiting impact when MFA protections are circumvented or seeds are suspected to be compromised.

Source: www.bleepingcomputer.com