Código HTML do Conteúdo
Post: Akira Ransomware: New Campaign Targets SonicWall Firewalls
<div>
<div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default">
<div>
<div>
<p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:28 September 2025 15:03</b></span></p>
<p>Since late July 2025, a new wave of cyber attacks has been recorded targeting organizations equipped with SonicWall firewalls, with the active spread of the <strong>Akira</strong> ransomware.</p>
<p>According to researchers at <strong><a href="https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/" target="_blank">Arctic Wolf Labs</a></strong> , malicious activity has significantly increased and continues to persist. Attackers gain initial access through <strong>compromised SSL VPN connections</strong> , successfully <strong>bypassing multi-factor authentication (MFA)</strong> . Once inside the network, they quickly move on to the encryption phase—in some cases, the dwell time before the ransomware was released was as short as <strong>55 minutes</strong> .</p>
<h2>The exploited vulnerability and the role of stolen credentials</h2>
<p>The <a href="https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430" target="_blank">hacks have been linked</a> to <strong><a href="https://www.redhotcyber.com/servizi/cve/?cve_id=CVE-2024-40766" target="_new _blank">CVE-2024-40766</a></strong> , an access control vulnerability disclosed in 2024. The leading hypothesis is that <em>criminals previously harvested credentials from exposed and vulnerable devices, which they now exploited against already patched devices.</em> This explains why fully patched systems were compromised, a circumstance that initially fueled the hypothesis of a new zero-day exploit.</p>
<p>Another critical element concerns <strong>SonicWall’s OTP MFA</strong> : attackers were able to authenticate even with accounts protected by this feature, increasing the severity of the campaign.</p>
<h2>Techniques and tools used</h2>
<p>Once they gain access via SSL VPN, the attackers:</p>
<ul>
<li>initiate internal network scanning to identify exposed ports such as <strong>SMB (445), RPC (135), and SQL (1433)</strong> ;</li>
<li>use reconnaissance and lateral movement tools including <strong>Impacket, SoftPerfect Network Scanner, and Advanced IP Scanner</strong> ;</li>
<li>create new administrative accounts and raise the privileges of existing ones;</li>
<li>install remote access software such as <strong>AnyDesk, TeamViewer, and RustDesk</strong> to ensure persistence;</li>
<li>establish hidden connections via <strong>reverse SSH and Cloudflare Tunnels</strong> .</li>
</ul>
<p>To reduce the chance of detection, threat actors attempt to disable endpoint security solutions, such as <strong>Windows Defender</strong> and EDR.</p>
<p>In some cases, they use the <strong>BYOVD (bring your own vulnerable driver)</strong> technique to compromise systems at the kernel level and delete shadow volume copies to prevent any restores.</p>
<h2>From data collection to ransomware release</h2>
<p>Before starting the encryption, the attackers <em>exfiltrate sensitive information: the files are compressed with <strong>WinRAR</strong> and extracted using tools like <strong>rclone</strong> and <strong>FileZilla</strong></em> . They then distribute the <strong>Akira</strong> ransomware, via executable files named <i>akira.exe</i> or <i>locker.exe</i> , encrypting network drives and launching the ransom note.</p>
<h2>Recommendations for organizations</h2>
<p>Arctic Wolf experts urge all organizations using SonicWall appliances to take immediate action.</p>
<p>In particular, it is recommended to <strong>reset SSL VPN credentials</strong> , including Active Directory-linked accounts, especially if systems have previously run firmware vulnerable to <a href="https://www.redhotcyber.com/servizi/cve/?cve_id=CVE-2024-40766" target="_new _blank">CVE-2024-40766</a>. Simply applying patches is not considered sufficient if credentials have already been compromised.</p>
<div>
<div>
<div>
<div>
<p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p>
<p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div>