Akira Ransomware bypasses MFA on SonicWall VPNs

Akira Ransomware bypasses MFA on SonicWall VPNs

Akira Ransomware bypasses MFA on SonicWall VPNs

Akira ransomware is targeting SonicWall SSL VPNs, bypassing OTP MFA on accounts, likely using stolen OTP seeds.

Since July 2025, Akira ransomware has exploited SonicWall SSL VPNs, likely using credentials obtained from the exploitation of the CVE-2024-40766 vulnerability, bypassing OTP MFA. Attacks spread quickly across sectors, with rapid post-login activity and short dwell times, making early detection crucial.

The Akira ransomware campaign, active since July 21, 2025, is targeting SonicWall NSA and TZ series devices running SonicOS 6–8, including recent 7.3.0 builds. The experts pointed out that despite SonicWall releasing updates to harden against brute force and MFA attacks, intrusions continue, even on patched devices. Researchers believe the attacks stem from credentials stolen during earlier exploitation of CVE-2024-40766, because it remains valid across firmware upgrades.

“Although the credential-based mitigations suggested by SonicWall are reasonable from a best practices standpoint, we are still not able to explain how threat actors were able to successfully bypass MFA. We will demonstrate this bypass below.” reads the report published by Arctic Wolf.

The Akira ransomware campaign shows initial access via malicious SSL VPN logins from VPS providers, which is unusual compared to typical broadband or SD-WAN logins. In some attacks, threat actors also used privacy VPNs. Both local and LDAP-synced accounts were targeted, including AD sync accounts not configured for VPN use. Over half of the intrusions involved OTP MFA accounts, with attackers successfully authenticating. Evidence suggests valid credentials, possibly from CVE-2024-40766 exploitation or stolen OTP seeds, though the MFA bypass method is still unclear.

The experts noticed that some intrusions showed evenly timed logins across multiple accounts from the same VPN IP, suggesting scripted automated access, though most cases involved 1–2 accounts.

After SSL VPN access, attackers moved rapidly, typically scanning the internal network within five minutes using tools like SoftPerfect and Advanced IP Scanner, targeting RPC/NetBIOS/SMB/SQL ports. They used Impacket (SMB sessions, WMIExec-style quser redirection) and RDP for lateral movement, and deployed AD enumeration with nltest, dsquery, Get-ADUser/Get-ADComputer, SharpShares, BloodHound, ldapdomaindump and related tools. The attackers saved outputs and reconnaissance files to C:ProgramData or Temp and sometimes opened in Notepad, indicating systematic discovery before further compromise.

Threat actors searched for VM storage/backups to access sensitive data and domain credentials, though admins were often obtained by other means before extraction. They used sqlcmd and a novel PowerShell tool (supports MSSQL/Postgres) to extract and decrypt Veeam 11/12 credentials, retrieving DPAPI secrets and salts and temporarily altering PostgreSQL config (with a dated comment) to permit loopback connections. Attackers created local and domain admin accounts (e.g., sqlbackup, veean), added users to groups like “ESX Admins,” and installed RMMs (AnyDesk, TeamViewer, RustDesk). To maintain persistence, attackers used SSH reverse tunnels and Cloudflare Tunnel (cloudflared) installed as a service, OpenSSH opened to 0.0.0.0, and scripted installers using Invoke-WebRequest/Start-BitsTransfer.

Attackers used multiple techniques to evade detection, including disabling RMMs and deleting Volume Shadow Copies, turning off UAC for local accounts, and attempting to disable Defender/EDR. They used a BYOVD technique; they repackaged Microsoft’sconsent.exeand ran it from directories disguised as legitimate EDR software.

Threat actors installed WinRAR on servers and domain controllers, often placing the binary in ProgramData, to package files for exfiltration. They extracted and ran rclone (from ProgramData) or installed FileZilla (fzsftp.exe) to transfer RAR archives over SFTP/SSH to VPS hosts. Ransomware (akira/locker/w.exe) was deployed to multiple locations (e.g., C:lock, C:ProgramData) with per-drive options (-p, -s), usually encrypting environments within four hours, sometimes as fast as 55 minutes after access.

“The most crucial mitigation to this threat is to reset all SSL VPN credentials on SonicWall devices that have ever run firmware vulnerable to CVE-2024-40766, as well as Active Directory credentials on accounts used for SSL VPN access and LDAP synchronization.” concludes the report.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,ransomware attack)

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.