Akira Ransomware Targets SonicWall VPNs: MFA Bypass and Rapid Lateral Movement

SonicWall VPN users face an immediate, high‑risk reality: the Akira ransomware group is actively compromising SSL VPN accounts — and in multiple confirmed incidents attackers have authenticated into accounts protected by SonicWall’s built‑in one‑time‑password (OTP) MFA.

Overview​

In late July 2025 security teams began observing a concentrated wave of SSL VPN authentications against SonicWall appliances that rapidly preceded internal scanning, SMB discovery activity using Impacket, and same‑day Akira ransomware deployment. Arctic Wolf Labs first published a detailed analysis of the campaign on September 26, 2025 and concluded that the pace — from VPN login to ransomware — is often measured in minutes to an hour.
Vendor and third‑party research points to a more complicated origin story than a fresh zero‑day: the activity appears tied to a previously disclosed SonicWall improper access control flaw (CVE‑2024‑40766) and to a separate MySonicWall cloud backup exposure that released device configuration files containing credentials and metadata useful to attackers. SonicWall and multiple incident responders advise assuming credential compromise for any device that once ran vulnerable firmware and treating MySonicWall‑backed preference files as potentially weaponized.

---

Background: timeline and why this matters​

• July 21, 2025 — Arctic Wolf observed the earliest intrusions associated with the current Akira SSL VPN campaign.
• August 2024 — SonicWall publicly disclosed CVE‑2024‑40766 and published patches; the issue was added to federal KEV lists later that year.
• September 17, 2025 — SonicWall disclosed a MySonicWall cloud backup incident that exposed a subset of customer “preference” files; the vendor urged immediate credential rotation and remediation.

These events combine into an operational threat picture worth repeating: edge appliances with historic vulnerabilities, exported configuration archives that can include VPN PSKs, tokens or certificate identifiers, and credential reuse across services create a potent shortcut for attackers to reach internal networks quickly. Multiple security vendors — Rapid7, Arctic Wolf, and others — have observed that Akira’s operators either revisit old compromises or weaponize leaked secrets rather than depend solely on novel zero‑day bugs.

---

What we know about the Akira campaign (technical summary)​

Initial access patterns​

Arctic Wolf and Rapid7 have documented a consistent initial access signature: SSL VPN logins from hosting‑provider or VPS IP addresses, often followed within several minutes by internal scanning and lateral‑movement tooling. These login events are unusual because legitimate VPN sessions typically originate from broadband or corporate SASE providers rather than cloud hosting ranges.
Key observed elements:

• Successful SSL VPN authentications on accounts that had OTP MFA enabled.
• Rapid port scanning and use of Impacket SMB tooling for discovery and credential abuse.
• Ransomware deployment (Akira) and file encryption often occurring within an hour of the initial VPN login.

Why MFA protections failed in observed incidents​

Multiple responders observed successful logins to OTP‑protected accounts. The exact mechanism remains under investigation and varies by incident, but leading hypotheses — corroborated by Arctic Wolf and Google Threat Intelligence Group — include:

• Theft of OTP seeds / shared secrets (seed files or tokens) from device backups or earlier breaches, enabling offline generation of valid OTP codes. Arctic Wolf and other researchers warned that if OTP seeds were present in exported preference files, attackers could produce valid codes without modifying device MFA settings.
• Reuse of legacy credentials or migration‑related misconfigurations (for example, user accounts migrated from Gen‑6 appliances to Gen‑7 without password rotations), which preserve previously exposed credentials and any associated authentication artifacts. Rapid7 and SonicWall have both described migration‑related risk.
• Abuse of non‑interactive or API‑style authentication flows that are not held to the same monitoring or conditional‑access constraints as interactive logins; this can let attackers replay tokens or authenticate service accounts without user prompts. Independent analyses of related attack classes show this vector is increasingly important.

Caveat: there is currently no single, universally accepted proof showing Akira used a novel SonicWall zero‑day to bypass MFA. Public reporting points to a mixture of credential theft, exposed backups, and misconfiguration. Where a claim is not fully verified, investigators label it as “probable” rather than definitive.

Lateral movement and speed​

Once inside, operators consistently scan internal address spaces and use off‑the‑shelf discovery tools and Impacket SMB modules to identify and access Windows hosts. In the incidents Arctic Wolf described, the chain follows a tight cadence: connect via SSL VPN → immediate internal scan → credential reuse or Pass‑the‑Hash / SMB attempts → payload staging and driver‑based tampering of endpoint protections → Akira ransomware encryption. The time from initial VPN login to finished ransomware deployment is unusually short compared to many other ransomware families.

---

The two structural failures that amplify this threat​

1) CVE‑2024‑40766: an old weakness with new consequences​

CVE‑2024‑40766 is an improper access control vulnerability in SonicOS that SonicWall disclosed in August 2024 and patched shortly after. It affected many Gen‑5 and Gen‑6 appliances and Gen‑7 devices running older SonicOS builds. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog during 2024. Researchers warn that credentials or artifacts exfiltrated from devices vulnerable to CVE‑2024‑40766 can be reused later — even after the device is patched. Rapid7 and SonicWall both emphasize remediation and credential rotation for any device that once ran vulnerable firmware.
Why this still matters today:

• Patch application does not invalidate credentials or OTP seeds that attackers may have already stolen. Those artifacts can be reused against updated devices and services.
• Firmware upgrades and migration processes can inadvertently carry forward legacy credentials, widening the window of risk if teams don’t reset accounts during transitions.

2) MySonicWall cloud backup exposure: configuration files as attack playbooks​

On September 17, 2025 SonicWall disclosed a MySonicWall incident where a subset of customer cloud “preference” files (configuration backups) were accessed by an unauthorized actor. Those files can include VPN profiles, PSKs, RADIUS/LDAP endpoints, certificate identifiers, and in some cases references to private keys or stored secrets. SonicWall and incident responders urged immediate credential rotation and the import of a vendor remediation preference file to reset exposed items.
Why exported configs are dangerous:

• They act as a prebuilt map of internal topology and stored authentication material.
• With a preference file in hand, attackers can reconstitute VPN profiles or replay tokens — making authentication appear legitimate and simplifying lateral movement.
• Even if stored secrets were encrypted, metadata and token identifiers materially shorten adversary reconnaissance and attack preparation.

---

Cross‑verification: three independent confirmations​

To ensure analysis rests on more than one source, note the following co‑validation:

• Arctic Wolf documented the Akira campaign and shared IoCs and attack timelines, including OTP‑protected account compromises.
• Rapid7 wrote about CVE‑2024‑40766 and issued incident response guidance connecting the vulnerability to observed intrusions, and subsequently published a detection update tying MySonicWall concerns to broader compromise paths.
• SonicWall’s own product notices and MySonicWall advisory instruct customers to rotate credentials and to assume exposed backups could enable exploitation — a vendor confirmation of the operational risk.

These three independent threads — vendor disclosure, managed detection vendors, and incident response vendors — converge on the same practical outcome: treat credentials and backup artifacts as potentially stolen and prioritize rotation and hunt‑and‑contain activities.

---

Immediate technical recommendations (operational checklist)​

For security teams responsible for SonicWall appliances or for organizations relying on SonicWall SSL VPN for remote access, implement the following with urgency:

• Reset and rotate all SSL VPN credentials and administrative passwords for any device that ever ran firmware vulnerable to CVE‑2024‑40766.
• Reset Active Directory service accounts used for LDAP synchronization and for SSL VPN access; assume LDAP credentials may have been captured and abused.
• Log into MySonicWall and check for flagged serial numbers; if your devices are flagged, follow SonicWall’s remediation preference file or manual playbook immediately.
• Enforce least‑privilege and remove unused local firewall accounts; ensure only necessary accounts have SSL VPN privileges.
• Where practical, restrict Virtual Office/portal access to known IP ranges or to corporate SASE links; block hosting‑related ASNs and suspicious VPS ranges at the perimeter.
• Audit logs (management, VPN, RADIUS/LDAP, EDR) for unusual login patterns, client imports, or post‑login lateral activity — hunt aggressively for Impacket SMB operations and scripts dropping in %Temp% or Downloads.
• Consider temporarily disabling SSL VPN (or moving to certificate‑based VPN) until remediation and hardening are complete; limit admin plane exposure (disable web/SSH management from WAN).

Short‑term triage must assume attacker dwell time is measured in hours. Rapid containment — isolating affected hosts, rotating secrets, and hunting for follow‑on activity — is the difference between an incident and a full‑scale ransomware outage.

---

Long‑term mitigations and architecture changes​

Beyond immediate remediation, organizations should aim to harden processes and redesign fragile elements that enabled this exploitation:

• Remove secrets from exported configuration files. Use vault references or managed secret injection to avoid embedding PSKs, API keys, or passwords in backups.
• Adopt customer‑controlled encryption for cloud backups (client‑side keys) so vendor or portal compromise does not yield usable plaintext artifacts.
• Enforce certificate‑based authentication for non‑interactive service accounts and consider short‑lived credentials for automated flows.
• Implement strict conditional access and geo‑fencing for remote access; require device posture checks for VPN clients and block known hosting provider IP ranges for end‑user logins.
• Integrate device‑configuration backups into the organization’s backup governance and tabletop exercises; treat preference files as sensitive data with the same controls as database backups.

These changes reduce systemic risk by removing single points of failure and making stolen artifacts less reusable.

---

Detection playbook (what to watch for)​

Security operations centers should prioritize detection rules and hunts that directly map to the Akira campaign tradecraft:

• Alerts for SSL VPN logins originating from hosting‑provider ASNs or VPS ranges.
• Repeated periodic login attempts from a single client IP across multiple accounts (evidence for scripted authentication).
• Early internal scanning originating from VPN client IPs, followed by Impacket SMB connections and discovery tool execution.
• Unexpected safe‑mode DLLs, unsigned kernel driver loads, or ACL tampering on Windows endpoints — post‑compromise artifacts Arctic Wolf observed in multiple intrusions.

Rule parity across network and endpoint telemetry, combined with fast incident response runbooks, is critical because attackers operate on a compressed timeline.

---

Risk assessment and likely attacker motivations​

Akira is a financially motivated ransomware group that historically targets Windows and Linux infrastructure to extort victims. The opportunistic nature of the campaign — victims across industries and company sizes — suggests mass exploitation rather than bespoke targeting. Attackers favor fast, high‑impact playbooks: authenticate, perform reconnaissance, and deploy ransomware quickly to maximize encryption success and limit detection.
Organizational risk factors that increase likelihood of compromise:

• Failure to rotate credentials after firmware updates or migrations.
• Use of MySonicWall cloud backups without client‑side encryption or strict RBAC.
• Allowing SSL VPN access from broadly routable IP ranges or not filtering hosting‑provider blocks.

Risk mitigation must therefore be both technical (patches, rotation, access controls) and procedural (migration playbooks that mandate credential resets and backup governance).

---

What remains unresolved — and where to be cautious​

• The precise chain for every OTP bypass observed in the wild is not fully documented in public disclosures. Arctic Wolf and other teams have identified plausible mechanisms (stolen OTP seeds, reuse of migrated credentials, misconfigurations), but no single universally applicable bypass method has been publicly demonstrated for all incidents. Until forensic reports detail seed‑theft artifacts or other incontrovertible mechanisms, treat some claims as probable but not proven.
• SonicWall’s MySonicWall advisory states fewer than 5% of customer devices had backups accessed; however, the vendor did not publish an exact affected‑customer count or a full forensic breakdown at the time of the advisory. Administrators must therefore assume conservative posture: verify account flags and rotate all credentials where backups were enabled.
• Attribution and linkage to a single actor group can be fluid; while Rapid7 and others tie the activity to Akira, elements of the tradecraft may be shared among affiliates or copycats. Focus remediation on the tactical controls described above rather than relying on attribution for immediate defense.

---

Final analysis: strengths, weaknesses, and practical takeaways​

Strengths observed in the response ecosystem:

• Rapid vendor disclosure by SonicWall and coordinated advisories from CISA and multiple security vendors produced an actionable remediation playbook quickly.
• Independent detection vendors (Arctic Wolf, Rapid7) provided IoCs and behavior‑based detection guidance that most SOCs can operationalize quickly.

Weaknesses and risks:

• Cloud‑hosted configuration backups without customer‑controlled encryption create a systemic single point of failure for device configuration secrets.
• Credential reuse, migration oversights, and gaps in non‑interactive authentication monitoring make MFA less effective in practice than it is in theory.

Practical takeaways for administrators and security leaders:

• Assume secrets were stolen if your SonicWall device ever ran vulnerable firmware or had cloud backups enabled. Rotate everything that might be affected.
• Harden VPN access and management planes immediately — restrict IPs, enforce certificates, and disable WAN admin where feasible.
• Treat exported preference files and backup snapshots as high‑sensitivity data going forward and demand client‑side encryption from vendors where possible.

---

Conclusion​

The Akira campaign against SonicWall SSL VPNs foregrounds a clear lesson for network security: device patching is necessary but not sufficient. Stolen configuration artifacts, legacy credentials carried across migrations, and insecure backup practices let attackers bypass controls we once treated as reliable — including OTP‑based MFA in specific incidents. The combined vendor and third‑party guidance is unequivocal: if you used MySonicWall backups or ever ran firmware affected by CVE‑2024‑40766, act now — rotate credentials, audit logs, and harden access paths. The window for effective response is short; the cost of delay is measured not in weeks but in hours.
For operators, the immediate plan is straightforward and urgent: verify whether you are flagged in MySonicWall, rotate exposed and migrated credentials, restrict VPN and admin access, and hunt for early signs of Impacket SMB activity. For security architects, the longer task is structural: stop putting secrets in vendor‑accessible backups and make configuration backups as untouchable as your most sensitive database snapshots.
Taking these steps now materially reduces the probability that a fast, opportunistic campaign like Akira’s will convert a single edge compromise into a full‑scale ransomware incident.

---

Source: BornCity Akira hacks SonicWall VPN accounts (even those with MFA protection) | Born's Tech and Windows World