Akira Ransomware Targets SonicWall VPNs, Bypasses MFA
Since July 2025, Akira ransomware has exploited SonicWall SSL VPNs, bypassing one-time password (OTP) multi-factor authentication likely using credentials stolen via CVE-2024-40766 or OTP seed theft. Attacks are fast-moving, with minimal dwell time, making early detection critical.
The campaign affects SonicWall NSA and TZ devices running SonicOS 6–8, including patched versions. Despite updates, intrusions persist, suggesting stolen credentials remain valid across firmware upgrades.
Initial access often comes from VPS or privacy VPNs. Both local and LDAP-synced accounts were compromised, including those not intended for VPN use. Over half of the breaches involved OTP MFA accounts.
Once inside, attackers quickly scanned networks, used tools like Impacket and BloodHound for lateral movement, and extracted credentials from Veeam backups using custom PowerShell scripts. They created admin accounts, installed remote access tools (AnyDesk, TeamViewer), and maintained persistence via SSH tunnels and Cloudflare Tunnel.
To evade detection, they disabled security tools, deleted backups, and repackaged Microsoft’s consent.exe to mimic legitimate software. Data was exfiltrated using WinRAR and rclone/FileZilla, and ransomware was deployed within hours.
Key mitigation
Reset all SSL VPN and Active Directory credentials on any SonicWall device that ever ran vulnerable firmware.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
