Security teams face a rapidly evolving campaign that abuses compromised SonicWall SSL VPN credentials to deliver Akira ransomware in under four hours—dwell times among the shortest ever recorded for this type of threat.
Within minutes of successful authentication—often originating from hosting-related ASNs—threat actors initiated port scans, leveraged Impacket SMB tools for discovery, and deployed the Akira ransomware across diverse environments.
Targets ranged from small enterprises to large organizations in multiple sectors, indicating an opportunistic, wide-scale exploitation. New malicious infrastructure tied to this campaign continued to be observed as recently as September 20, 2025.
SonicWall attributes these unauthorized logins to exploitation of CVE-2024-40766, an improper access control flaw disclosed in September 2024.
In late July 2025, Arctic Wolf Labs detected a surge of suspicious login attempts against SonicWall SSL VPN services.
Credentials harvested from vulnerable devices appear to remain valid even on patched firewalls, enabling attackers to bypass one-time-password (OTP) multi-factor authentication and authenticate against MFA-protected accounts.
SonicWall August 2025 notice confirmed that MFA seeds could be brute-forced or obtained offline, allowing legitimate-looking logins without evidence of MFA unbinding or configuration tampering.
Initial access consistently involved SSL VPN client logins from virtual private server infrastructure rather than expected broadband or SD-WAN origins.
In several incidents, LDAP synchronizing accounts—never intended for remote VPN access—were observed authenticating successfully. Almost immediately, intrusions progressed to internal network reconnaissance.
Legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner executed from temporary directories, followed by Impacket-style SMBv2 session setup requests targeting RPC, NetBIOS, SMB, and SQL ports.
Active Directory enumeration then exploited built-in utilities (nltest, dsquery) and PowerShell cmdlets (Get-ADUser, Get-ADComputer) to harvest user, computer, and share information.
In numerous cases, attackers used SQLCMD and custom PowerShell scripts to extract backup credentials from Veeam Backup & Replication databases—targeting both MSSQL and PostgreSQL instances.
Extracted credentials facilitated local and domain account creation, installation of remote-access tools (AnyDesk, TeamViewer, RustDesk), and establishment of SSH reverse tunnels or Cloudflare Tunnel services for persistent access.
To evade detection, threat actors disabled legitimate RMM software, deleted Volume Shadow Copy snapshots, and used registry tweaks to disable User Account Control.
Bring-Your-Own-Vulnerable-Driver techniques repackaged Microsoft’s consent.exe to load malicious DLLs that manipulated kernel ACLs, effectively neutering security processes like MsMpEng.exe without triggering alerts. Geofencing logic within the malicious DLLs excluded Eastern European locales, suggesting a targeted intent.
Data staging leveraged WinRAR to bundle recent files into 3 GB chunks, followed by exfiltration via rclone or FileZilla SFTP to attacker-controlled VPS servers.
The Akira encryptor binaries—named akira.exe, locker.exe, or w.exe—then launched, encrypting drives and network shares within hours. In some intrusions, encryption commenced as quickly as 55 minutes after initial access.
Recommendations
- Reset all SSL VPN and LDAP-synchronized credentials on devices that have ever run firmware vulnerable to CVE-2024-40766, including OTP seeds.
- Block or monitor VPN logins from hosting ASNs and anonymization services.
- Implement network-based detection for Impacket-style SMBv2 session setups.
- Enforce application control to deny execution from temporary and user-writable directories.
- Restrict VPN authentication to centralized identity providers via SSO/SAML, isolating credential management from firewall appliances.
- Review MySonicWall cloud backup incident remediation to determine if credential resets are warranted.
Early detection is critical: anomalous VPN login patterns, hosting ASN origins, and unexpected SMB discovery activity provide the best opportunities to interrupt this campaign before encryption.
Using IRP packets, the malware identifies specific security processes (e.g., MsMpEng.exe and SecurityHealthService.exe) and then weaponizes Windows Access Control Lists (ACLs) at the kernel level to disable them.
Organizations should treat credential security for edge devices as essential and assume that patching alone is insufficient without credential resets and robust monitoring.
Arctic Wolf Labs continues to monitor this threat, collaborating with SonicWall and the security community to refine detections and protect against further exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
