Akira affiliates abuse legitimate Windows drivers to evade detection in SonicWall attacks

Posted on by

Making a stronger case for a zero-day abuse, Arctic Wolf said, “In some instances, fully patched SonicWall devices were affected following credential rotation.” Some accounts were also compromised despite TOTP MFA being enabled, it added.

Both times, Arctic Wolf confirmed, a short interval was observed between initial SSLVPN account access and ransomware encryption.

SonicWall did not immediately respond to CSO’s request for comment, but had addressed the ‘zero-day’ reports in the disclosure, stating it is “committed to releasing updated firmware and instructions promptly if a new vulnerability is confirmed”. Earlier this year, SonicWall informed customers of a high-severity bug (tracked as CVE-2024-53704) affecting SSLVPN services that allowed authentication bypass by remote attackers. Apart from disabling SSLVPN services where practical, users are advised to limit SSLVPN connectivity to trusted source IPs, enable Botnet protection, Geo-IP filtering, and other security services, enforce MFA, and remove unused accounts.