372/68 Tuesday, September 30, 2025
The ongoing cyberattacks by the Akira ransomware group, targeting SonicWall SSL VPN appliances, have become increasingly concerning due to their sophistication. Researchers recently discovered that attackers could successfully log into accounts even when Multi-Factor Authentication (MFA) with OTP codes was enabled. Initially, the attacks were suspected to involve a zero-day vulnerability, but SonicWall later linked them to the previously disclosed Improper Access Control vulnerability (CVE-2024-40766), first revealed in September 2024. Although this flaw was patched in August 2024, attackers are still leveraging stolen credentials obtained prior to patching to regain access to networks.
Cybersecurity company Arctic Wolf has observed that Akira attackers were able to log into SonicWall firewall accounts despite OTP MFA being active. Multiple OTP requests were detected before a successful login, suggesting that attackers may have previously stolen OTP seeds (the data used to generate OTPs) or discovered alternative methods for producing valid tokens. The use of stolen credentials linked to CVE-2024-40766-even after patching-enabled reentry into compromised environments, echoing a similar campaign against SonicWall VPNs reported by Google Threat Intelligence Group in July.
Once inside a network, Akira actors move quickly-often scanning internal networks within just five minutes. They employ various techniques and tools to expand access and remain hidden, such as logging in via RDP, probing Active Directory, and targeting Veeam Backup & Replication servers to steal or decrypt stored credentials. Attackers have also leveraged Bring-Your-Own-Vulnerable-Driver (BYOVD) tactics, using legitimate Microsoft executables to load malicious DLLs, and exploiting vulnerable drivers to disable endpoint protection processes-allowing ransomware to execute unimpeded.
Administrators are strongly advised to immediately reset all VPN passwords on any devices that previously ran vulnerable firmware, and to ensure that the latest SonicOS firmware is installed. This is critical to cutting off attackers’ initial access vector via stolen accounts.
