The Asia-Pacific (APAC) region is seeing a rapid surge in number of cyberattacks aimed at its enterprises’, a new report suggests.
According to Barracuda’s SOC Threat Radar report, threat actors are intensifying their efforts against vulnerable VPN infrastructure and Microsoft 365 accounts, and using Python scripts to launch attacks stealthily.
The Akira ransomware group, in particular, has accelerated its growth, exploiting outdated or improperly patched systems with speed and precision.
Akira Exploits SonicWall VPN Vulnerability
The Akira group is reportedly leveraging a known vulnerability, CVE-2024-40766, in SonicWall VPN devices. Though this security flaw was patched months ago, many organizations have failed to apply the update or reset credentials for post-patching. This oversight is proving costly.
In several incidents, attackers have used stolen credentials (likely harvested before patches were applied) to intercept one-time passwords (OTPs), enabling them to bypass multi-factor authentication (MFA), even on patched systems. The attackers generate valid login tokens, which allow them to sidestep MFA protections entirely.
Barracuda first issued a security advisory regarding this threat in August 2020. Despite awareness, attacks continue at a steady pace, particularly in Australia and other APAC nations. Researchers stress that Akira can quickly escalate from initial infection to file encryption. They have also observed Akira using legitimate remote monitoring and management (RMM) tools to disable security software and backup systems, effectively sabotaging recovery efforts.
Conditions That Increase Risk
Organizations are particularly vulnerable if they:
- Have not applied the latest SonicWall VPN patch
- Failed to reset passwords after patching
- Maintain old, unused, or legacy accounts
- Use high-access service accounts with non-rotated credentials
Recommended countermeasures include:
- Running vulnerability scans to detect unpatched VPNs
- Upgrading to SonicOS 7.3.0 or later
- Resetting all VPN-related credentials
- Removing unused or legacy accounts
- Restricting VPN access by IP address
- Monitoring for unusual login activity, particularly from unfamiliar countries or service providers
“If you think there is any chance that your credentials or OTPs have been exposed, act fast,” the report warns. “Reset all passwords, switch to phishing-resistant MFA like FIDO2 security keys, and check VPN logs for irregular access patterns.”
Malicious Python Scripts Evade Detection
Another worrying trend highlighted in the report is the growing use of Python scripts to deploy hacking tools under the radar. Barracuda’s security operations center (SOC) analysts have seen attackers automate credential stuffing, use Mimikatz (a tool to steal passwords), and abuse PowerShell, all orchestrated via Python programs.
The use of Python allows threat actors to:
- Automate attacks, increasing their speed and efficiency
- Disguise malicious processes as legitimate activity
- Execute multiple operations simultaneously, such as data exfiltration while scanning for vulnerabilities
This level of automation reduces the need for manual execution, making it harder for conventional security tools to detect malicious actions in time.
Recommendations to Mitigate Script-Based Attacks
Organizations are urged to:
- Deploy endpoint protection tools capable of detecting Python-based threats
- Regularly update software and operating systems
- Enforce strict password policies and consistent MFA usage
- Provide ongoing cybersecurity awareness training to staff
Microsoft 365 Accounts Targeted
A third major concern identified is the spike in unusual login activity targeting Microsoft 365 accounts, particularly in Australia, where nearly 150,000 organizations use the platform. These suspicious logins typically originate from unexpected locations, devices, or time zones, clear indicators of compromised credentials.
The appeal of Microsoft 365 lies in its widespread use and deep integration into business workflows. Once attackers gain access to a user account, they can:
- Sell credentials to other cybercriminals (e.g., initial access brokers)
- Move laterally within the organization’s network
- Steal sensitive data such as emails, files, and communications
- Send malicious emails from compromised accounts to carry out further attacks
Signs of Vulnerability and Mitigation Steps
Organizations face heightened risk if they:
- Publicly list staff from finance, HR, or IT on websites
- Don’t enforce strong password policies or MFA
- Lack of monitoring for anomalous login behavior
- Fail to educate employees about phishing and credential theft
To defend against Microsoft 365 account compromises, Barracuda recommends:
- Enabling MFA for all users
- Limiting permissions and access levels
- Blocking access from high-risk locations or unknown devices
- Installing cloud security monitoring tools
- Conducting regular security training and login pattern analysis
