Akira Ransomware: New Campaign Targets SonicWall Firewalls

Two critical bugs in Cisco ASA and FTD: score 9.9 and risk of remote code execution - Against Invaders - Notícias de CyberSecurity para humanos.

Redazione RHC:28 September 2025 15:03

Since late July 2025, a new wave of cyber attacks has been recorded targeting organizations equipped with SonicWall firewalls, with the active spread of the Akira ransomware.

According to researchers at Arctic Wolf Labs , malicious activity has significantly increased and continues to persist. Attackers gain initial access through compromised SSL VPN connections , successfully bypassing multi-factor authentication (MFA) . Once inside the network, they quickly move on to the encryption phase—in some cases, the dwell time before the ransomware was released was as short as 55 minutes .

The exploited vulnerability and the role of stolen credentials

The hacks have been linked to CVE-2024-40766 , an access control vulnerability disclosed in 2024. The leading hypothesis is that criminals previously harvested credentials from exposed and vulnerable devices, which they now exploited against already patched devices. This explains why fully patched systems were compromised, a circumstance that initially fueled the hypothesis of a new zero-day exploit.

Another critical element concerns SonicWall’s OTP MFA : attackers were able to authenticate even with accounts protected by this feature, increasing the severity of the campaign.

Techniques and tools used

Once they gain access via SSL VPN, the attackers:

initiate internal network scanning to identify exposed ports such as SMB (445), RPC (135), and SQL (1433) ;
use reconnaissance and lateral movement tools including Impacket, SoftPerfect Network Scanner, and Advanced IP Scanner ;
create new administrative accounts and raise the privileges of existing ones;
install remote access software such as AnyDesk, TeamViewer, and RustDesk to ensure persistence;
establish hidden connections via reverse SSH and Cloudflare Tunnels .

To reduce the chance of detection, threat actors attempt to disable endpoint security solutions, such as Windows Defender and EDR.

In some cases, they use the BYOVD (bring your own vulnerable driver) technique to compromise systems at the kernel level and delete shadow volume copies to prevent any restores.

From data collection to ransomware release

Before starting the encryption, the attackers exfiltrate sensitive information: the files are compressed with WinRAR and extracted using tools like rclone and FileZilla . They then distribute the Akira ransomware, via executable files named akira.exe or locker.exe , encrypting network drives and launching the ransom note.

Recommendations for organizations

Arctic Wolf experts urge all organizations using SonicWall appliances to take immediate action.

In particular, it is recommended to reset SSL VPN credentials , including Active Directory-linked accounts, especially if systems have previously run firmware vulnerable to CVE-2024-40766. Simply applying patches is not considered sufficient if credentials have already been compromised.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

azaeo.com – datalake

File fishes formats available in:

Texto JSON JSON-LD XML HTML HTML Source PDF Markdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.