Cyber Daily Report

Anton Lucanus--securityboulevard.com
published date: 2025-11-20 00:00:00 UTC

None

This article unpacks how <a href="https://securityboulevard.com/2025/09/sonicwall-akira-ransomware-richixbw/" target="_blank" rel="noopener">Akira operationalized MFA push-spam into a global intrusion tactic</a>, why traditional VPNs and weak identity controls continue to fuel their success and what the latest data tells us about the scale of the threat. More importantly, it outlines the counter-playbook defenders need to deploy now — from adopting phishing-resistant passkeys to treating every suspicious login prompt as a potential breach signal. In short, Akira’s rise is not just a story of one ransomware group, but a warning about how easily convenience in authentication can turn against us. <h3 aria-level="2">Approve to Lose: The Human Hack Behind Push-Spam </h3>MFA was supposed to end the era of stolen-password break-ins. But Akira and its affiliates have perfected a social-engineering gambit that turns MFA into a pressure point: Push bombing (aka MFA fatigue). The move is simple and brutal — use valid (often stolen) credentials to trigger a blizzard of MFA prompts, then nudge the target via text/voice/phish until they tap ‘Approve’ just to stop the noise. <a href="https://attack.mitre.org/techniques/T1621/" target="_blank" rel="noopener">MITRE now catalogs this</a> as ‘Multi-Factor Authentication Request Generation’ and notes adversaries repeatedly trigger prompts to bombard users, counting on fatigue to win out. <div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div>Akira’s operators combine that prompt storm with old-school pretexting: ‘IT needs a quick confirm’, ‘VPN maintenance — please accept’ and so on. If the target relents once, the attackers often add their own device or create a persistent session — no malware needed. The 2022 Uber breach <a href="https://www.darkreading.com/cyberattacks-data-breaches/uber-breach-external-contractor-mfa-bombing-attack" target="_blank" rel="noopener">made the tactic infamous</a>, and write-ups since have detailed how a contractor’s credentials plus a barrage of notifications opened the door to internal systems. <h3 aria-level="2">Why Akira Keeps Winning: Edge Devices, Identity Abuse and MFA Bypasses </h3>Akira’s recent surges showcase a ruthless focus on identity and remote access. In 2025, multiple investigations tied a wave of intrusions to <a href="https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html" target="_blank" rel="noopener">SonicWall SSL VPN</a> gateways. In some cases, researchers suspected a zero-day; in others, the incidents pointed to configuration weaknesses or the reuse of stolen credentials. Tech outlets summarized how even fully patched devices were implicated in pre-ransomware intrusions, and how attackers could bypass MFA by abusing OTP seeds captured in earlier compromises or misconfigurations. The pattern is consistent with Akira’s pragmatic, playbook-driven methodology documented by government and industry advisories: Get in via VPN, pivot quickly, disable backups and extort with double- or triple-pronged data theft. A <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a" target="_blank" rel="noopener">joint alert from CISA</a>, FBI, Europol and NCSC-NL reported that as of January 1, 2024, Akira had hit over 250 organizations and extracted about $42 million — all in under a year of public activity. Akira’s edge focus dovetails with the industry’s broader shift: Identity is the new perimeter, and VPNs, SSO and remote access stacks are the keys to the kingdom. That’s why the group’s playbook avoids noisy exploits when quiet social engineering and identity misuse will do. <h3 aria-level="2">What the Numbers Say and Why Push-Fatigue Works </h3>If push-fatigue seems ‘too human’ to be a systemic problem, the macro data says otherwise: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">7,000 password attacks per second. Microsoft’s 2024 Digital Defense Report measured roughly 600 million identity attacks per day and over 7,000 password <a href="https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024" target="_blank" rel="noopener">attacks blocked each second</a>. This underscores that brute-forcing, stuffing and credential replay are ambient background radiation on the internet today.</li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><a href="https://www.verizon.com/business/resources/T646/reports/2024-dbir-data-breach-investigations-report.pdf" target="_blank" rel="noopener">68% of breaches involve the human element</a>. Verizon’s 2024 Data Breach Investigations Report (DBIR) found people factored (error, social engineering and misuse) into 68% of breaches. It also noted ransomware as a top threat in 92% of industries.</li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Stolen credentials still dominate the web-app path. In Verizon’s basic web application attack patterns, 77% of breaches involved the <a href="https://www.verizon.com/business/resources/T646/reports/2024-dbir-data-breach-investigations-report.pdf" target="_blank" rel="noopener">use of stolen credentials</a>, showing how attackers ride valid logins straight past controls.</li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1">Passkeys are moving from pilot to practice. A 2025 FIDO Alliance enterprise study reported 87% of U.S./UK companies have deployed or are <a href="https://fidoalliance.org/wp-content/uploads/2025/02/The-State-of-Passkey-Deployment-in-the-Enterprise-in-the-US-and-UK-FIDO-Alliance.pdf" target="_blank" rel="noopener">rolling out passkeys</a>, reflecting a rapid shift toward phishing-resistant authentication.</li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="5" data-aria-level="1">Akira’s haul — $42 million from over 250 victims. Cybersecurity and Infrastructure Security Agency (CISA)-led advisory quantified the <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a" target="_blank" rel="noopener">group’s success to date</a> — evidence that identity-centric playbooks scale efficiently across sectors and geographies.</li></ul>Overall, these data points explain why MFA fatigue works so well: Attackers don’t need to win a zero-day lottery when the internet supplies an endless stream of valid credentials and an overworked employee who just wants the prompts to stop. <h3 aria-level="2">A Defender’s Counter-Playbook: What to Change This Quarter </h3>Harden MFA from ‘approve’ to ‘prove’. Push-to-approve is convenient and exploitable. Move to number matching, biometric-bound passkeys or <a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677" target="_blank" rel="noopener">FIDO2/WebAuthn</a> security keys for high-risk access. Make users prove the session context instead of reflexively approving it. Microsoft, Ping and others have published concrete guardrails for reducing push-fatigue risk. Shrink the VPN blast radius. If you still rely on a traditional VPN, gate it behind phishing-resistant factors and device posture checks. Disable generic ‘virtual office portals’ on edge gear where possible, lock access by source IP and <a href="https://www.techradar.com/pro/security/this-long-exposed-sonicwall-flaw-is-being-used-to-infect-organizations-with-akira-ransomware-so-patch-now" target="_blank" rel="noopener">rotate any OTP secrets</a> stored on gateways implicated in recent campaigns. Recent coverage of the SonicWall campaigns highlights how misconfigurations and legacy controls can neutralize the value of MFA altogether. Move identity to the least privilege by default. Assume initial access succeeds and then design the blast radius accordingly. That means, implement per-app access (zero-trust) instead of flat VPNs, just-in-time (JIT) privilege for admin tasks and consistent session-level signals (device health, location and risk score) before granting tokens. If a user caves to push-spam once, the second layer should still force re-verification with a phishing-resistant factor before sensitive moves (e.g., adding an MFA device, creating a new OAuth app and exporting data). Instrument the human attack surface. If 68% of breaches have a human component, let users work with telemetry backing them up. Teach them to deny unexpected prompts and to report MFA-spam like they’d report a phish. Add playbook automation: If a user reports prompt-bombing, auto-lock the account, invalidate sessions and force re-enrollment with a resistant factor. Ransomware groups have always thrived on exploiting the weakest link in security: People. While organizations have spent years fortifying their networks with MFA, groups such as Akira have flipped this very safeguard into an attack vector. By weaponizing ‘MFA fatigue’ — a relentless stream of authentication prompts designed to exhaust users into approval — Akira has shown that identity, not malware, is the modern perimeter. The risk is amplified in complex, distributed environments such as <a href="https://softwaremind.com/services/telecom-software-development/" target="_blank" rel="noopener">telecom software development</a>, where engineers, CI/CD systems and remote contractors rely on VPNs and SSO to push code and manage network functions; one coerced tap on ‘Approve’ can become unfettered access to build pipelines and service orchestration. Their playbook blends social engineering, remote access abuse and opportunistic targeting of edge devices into a ruthless strategy that has already netted tens of millions of dollars. Detect the early tells. Akira’s intrusions often have a familiar rhythm: VPN login anomalies, a flurry of denied MFA prompts, an eventual approval and then rapid admin activity (backup tampering and domain controller probes). Treat MFA denial streaks and MFA approval after X denials as tier-1 incidents, not curiosities. Enrich with identity-provider logs, VPN telemetry and endpoint traces. In recent SonicWall-linked intrusions, some affiliates even used <a href="https://cybersecuritynews.com/akira-ransomware-uses-windows-drivers/" target="_blank" rel="noopener">signed Windows drivers</a> to sidestep EDR during lateral movement — if you see unexpected driver loads, treat them as ‘ransomware-smells-like’ events. Patch velocity still matters. Verizon’s DBIR observed a <a href="https://www.verizon.com/business/resources/T646/reports/2024-dbir-data-breach-investigations-report.pdf">180% increase</a> in breaches where vulnerability exploitation was the initial way in, largely tied to mass-exploitation events. That’s why your exposure window on edge devices and web apps is existential. Kill the password where you can. The fastest way to nullify push-spam is to remove pushable factors. Passkeys bind credentials to the device and origin, eliminating phishing and most relay attacks. With <a href="https://fidoalliance.org/wp-content/uploads/2025/02/The-State-of-Passkey-Deployment-in-the-Enterprise-in-the-US-and-UK-FIDO-Alliance.pdf" target="_blank" rel="noopener">87% of enterprises</a> in the U.S./UK deploying or piloting passkeys, you’re no longer an early adopter — you’re catching up. <h3 aria-level="2">The Bottom Line </h3>Akira didn’t invent MFA fatigue; it just operationalized it. The group’s continuing success is a mirror held up to the industry’s habits: Passwords everywhere, push approvals without context and edge devices that double as single points of failure. The good news is that the countermoves are known and increasingly practical: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">Replace push approvals with passkeys and number-matching </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">Constrain remote access to per-app, risk-aware sessions </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Automate responses to push-spam signals and abnormal identity changes </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1">Instrument identity like a production system, with SLOs for revocation speed and drift detection </li></ul>The data says the attackers will keep knocking — <a href="https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024" target="_blank" rel="noopener">7,000 times a second</a>, to be precise. The question is whether those knocks land on a doorbell your users can be tricked into tapping or on a cryptographic lock they can’t open for an impostor, no matter how many times the phone buzzes. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/the-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue/" data-a2a-title="The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue%2F&linkname=The%20Akira%20Playbook%3A%20How%20Ransomware%20Groups%C2%A0Are%C2%A0Weaponizing%20MFA%20Fatigue%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue%2F&linkname=The%20Akira%20Playbook%3A%20How%20Ransomware%20Groups%C2%A0Are%C2%A0Weaponizing%20MFA%20Fatigue%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue%2F&linkname=The%20Akira%20Playbook%3A%20How%20Ransomware%20Groups%C2%A0Are%C2%A0Weaponizing%20MFA%20Fatigue%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue%2F&linkname=The%20Akira%20Playbook%3A%20How%20Ransomware%20Groups%C2%A0Are%C2%A0Weaponizing%20MFA%20Fatigue%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue%2F&linkname=The%20Akira%20Playbook%3A%20How%20Ransomware%20Groups%C2%A0Are%C2%A0Weaponizing%20MFA%20Fatigue%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>