A new wave of cyberattacks targeting organizations using SonicWall firewalls has been actively deploying Akira ransomware<\/a> since late July 2025.<\/p>\n Security researchers at Arctic Wolf Labs detected a surge in this activity, which remains ongoing. Threat actors are gaining initial access through malicious SSL VPN logins, successfully bypassing multi-factor authentication<\/a> (MFA), and then rapidly moving to encrypt data within hours.<\/p>\n The campaign appears to be an opportunistic mass exploitation, affecting victims across various sectors. The initial point of entry is a malicious login to a SonicWall SSL VPN, often originating from Virtual Private Server (VPS) hosting providers instead of typical corporate networks.<\/p>\n Alarmingly, attackers have successfully authenticated against accounts protected with SonicWall\u2019s One-Time Password (OTP) MFA feature.<\/p>\n SonicWall has linked these malicious logins to CVE-2024-40766<\/a>, an improper access control vulnerability disclosed in 2024.<\/p>\n The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched.<\/p>\n This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.<\/p>\n Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as \u201cdwell time,\u201d is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.<\/p>\n Attackers use compromised credentials to log into SonicWall SSL VPNs, bypassing OTP MFA. Within minutes of logging in, attackers begin internal network scanning for open ports like SMB (445), RPC (135), and SQL (1433). They use tools like Impacket, SoftPerfect Network Scanner, and Advanced IP Scanner<\/a> for discovery and lateral movement.<\/p>\n The threat actors create new administrator accounts, escalate privileges for existing accounts, and install remote management tools like AnyDesk, TeamViewer, and RustDesk to maintain access. They also establish persistence using SSH reverse tunnels and Cloudflare Tunnels.<\/p>\n To operate undetected, attackers attempt to disable endpoint security products like Windows Defender and other EDR solutions<\/a>. They use a \u201cbring-your-own-vulnerable-driver\u201d (BYOVD<\/a>) technique to tamper with security software at the kernel level and delete Volume Shadow Copies to prevent system restoration.<\/p>\n Before encryption, attackers steal sensitive data. They package files using WinRAR and exfiltrate them with tools like Arctic Wolf recommends<\/a> that organizations using SonicWall devices take immediate action. The most critical step is to reset all SSL VPN credentials, including related Active Directory<\/a> accounts, especially if the devices have ever run firmware vulnerable to CVE-2024-40766. Patching alone is insufficient if credentials have already been compromised.<\/p>\n Organizations should also monitor for suspicious VPN logins from hosting providers and look for anomalous SMB activity indicative of Impacket use.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Threat Actors Exploiting SonicWall Firewalls to Deploy Akira Ransomware Using Malicious Logins<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh_qSPFeDYTxxYrvKP5Y6M0uBRq-o8fO-qXDstVy0OiUQiFgAQBZj4nBE5gWO1BD71Yas-QNw_sdeBd5ARtjhpo9hP2-IcmB07IrrNCRjjmzJWnn9g4dxtq_MT-ZrVE1OZ0nFngSayDmzEHLF9ztIb4YvSxmZYzVdLbbE0o5ngvQ97uiwMerQZZV01yPgRt\/s16000\/Malicious%2520SSL%2520VPN%2520Login.webp?ssl=1\")
<\/figure>\nAttack Sequence<\/strong><\/h2>\n
rclone<\/code> and FileZilla. Finally, they deploy the Akira ransomware (using executables named akira.exe<\/code> or locker.exe<\/code>) to encrypt network drives and demand a ransom.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgFjx_218ChX-Sv_v7ACIdb9LQvD5OEmXqARkCEE7vWbuVPSB3nPbWwDpacPsZ8doDPatWklEBiFyrppj3HU3I3egCrHU31NKJMem0uAi6fO_A_5SdYNiuCSD9vEb7-oUdMhF6NdCcIue_WAc-Gr3zcV5MXmlAUOStHoZXxku-aJ45-ZVX56lipdZ8ppH76\/s16000\/Cloudflare%2520Tunnel.webp?ssl=1\")
<\/figure>\n<\/ol>\n