Ransomware surge exploits VPN flaws & Microsoft 365 logins in APAC

Barracuda security researchers report a noticeable increase in ransomware and cyber attacks targeting VPNs, Microsoft 365 accounts, and the use of Python scripts to run malicious tools across Australia and the Asia-Pacific region.

Akira ransomware targeting VPNs

The Akira ransomware group is actively exploiting a previously patched vulnerability in SonicWall VPN devices, identified as CVE-2024-40766. Analysts note the attack surge partly stems from organisations failing to apply security updates or reset credentials after patch implementation. Attackers are also leveraging stolen credentials obtained before the release of the patch to intercept one-time passwords (OTPs), enabling them to bypass multi-factor authentication (MFA), even on systems that have been patched.

According to the threat intelligence report, Akira's tactics allow them to quickly move from initial infection to the encryption stage, using legitimate tools such as remote monitoring and management (RMM) software to evade detection. Attackers are reportedly disabling security tools and backup systems to prevent recovery.

"The attacks exploit a year-old and patched vulnerability (CVE-2024-40766). They're succeeding because not every user has applied the patch, and because the attackers can use stolen credentials (grabbed before the patch was applied) to intercept one-time passwords (OTPs). These generate valid login tokens and enable the attackers to bypass multifactor authentication (MFA), even in systems that have been updated."

Researchers highlight that organisations are most at risk if they have not applied the patch, not reset passwords after patching, have unused or legacy accounts, or maintain high-level service accounts with infrequently rotated credentials. Recommended mitigation steps include running a scanning tool to check for unpatched VPNs, applying updates, resetting all VPN credentials, upgrading to the latest firmware, and removing any unused or legacy accounts. The report also advises restricting VPN access by IP address and monitoring for unusual login activity.

Barracuda's investigation warns: "If you think there is any chance that your credentials or OTPs have been exposed, act fast. Reset all passwords, switch to phishing-resistant MFA like FIDO2 security keys, and check VPN logs for unusual activity, such as unusual login patterns or access from unfamiliar locations."

Increase in malicious Python scripts

Security teams observed more frequent use of Python scripts to operate hacking tools, including the widely known password stealer Mimikatz, PowerShell, and multiple credential stuffing automation scripts. The use of Python allows attackers to disguise malicious activities as legitimate processes and automate their attacks, which increases the speed and reduces the chance of detection.

"Barracuda SOC analysts have seen a rise in hacking tools launched and run by Python computer scripts (programs). The hacking tools include the popular password stealer Mimikatz, the legitimate scripting language PowerShell, and credential stuffing tools/automation scripts for trying out stolen usernames and passwords on websites. The use of Python scripts could be a way for attackers to avoid detection or to speed up and automate their attacks. For example, Python scripts can help disguise the execution of malicious tools with legitimate-looking programs that don't arouse suspicion."

Barracuda recommends organisations install endpoint protection, maintain updated software, enforce strong password and multifactor authentication policies, and conduct regular security awareness training. Automated security systems and user training are emphasised as proactive defences against these types of intrusion.

Unusual login activity in Microsoft 365

Barracuda reports a rise in unusual login activity involving Microsoft 365 accounts among nearly 150,000 Australian organisations using the platform. Such activity is defined as logins that do not match normal user behaviour, for example, attempts from unfamiliar locations, devices, or at atypical times. The report links this trend to attackers successfully compromising user credentials and attempting to gain account access.

"Barracuda is seeing a rise in unusual login activity in Microsoft 365 accounts. These are logins that don't match a user's normal behaviour, coming from an unexpected location or device or at a time the user isn't normally online. This can indicate that an attacker has compromised the user's credentials and is trying to gain access to the account."

The findings stress that compromised accounts can be sold to other actors, used for further network access, or exploited to steal sensitive data, send internal threats, or deliver additional attacks. Businesses are considered vulnerable if they publicly share staff information, do not uniformly enforce MFA, lack password policies, or fail to train employees on cyber risks.

Suggested safety practices include enabling MFA on all Microsoft 365 accounts, limiting user permissions, using cloud security services, providing employee awareness training, and blocking access from risky locations or devices. Regular monitoring for anomalous login behaviour is also advised.

Barracuda's latest threat intelligence round-up further underlines the ongoing importance of regular software updates, robust credential management, security tool deployment, and staff vigilance to combat evolving cyber threats targeting remote access systems and popular business applications.