Ethical Hacking News
A new ransomware variant, dubbed "Akira", has successfully bypassed multi-factor authentication (MFA) on SonicWall SSL VPNs, causing significant disruptions and financial losses. The attack highlights the ongoing threat posed by vulnerabilities in widely used security systems and the importance of staying up-to-date with patches and best practices.
Researchers have discovered a new ransomware variant, dubbed "Akira", that has successfully bypassed multi-factor authentication (MFA) on SonicWall SSL VPNs. The attack began in July 2025 and has already spread across multiple sectors, causing significant disruptions and financial losses. The attackers exploited the CVE-2024-40766 vulnerability to gain access to accounts, which had been patched with recent firmware updates. Despite SonicWall's efforts to harden against brute force and MFA attacks, intrusions continue on patched devices. The attack used unusual initial access methods, such as malicious SSL VPN logins from VPS providers. The attackers moved rapidly after gaining access, using various tools for lateral movement and data exfiltration. Resetting all SSL VPN credentials on affected devices is the most crucial mitigation to prevent similar attacks in the future.
In a recent development that has sent shockwaves through the cybersecurity community, researchers have discovered a new ransomware variant, dubbed "Akira", that has successfully bypassed multi-factor authentication (MFA) on SonicWall SSL VPNs. The attack, which is believed to have begun in July 2025, has already spread across multiple sectors, causing significant disruptions and financial losses.
According to the research firm Arctic Wolf, the Akira ransomware campaign targets SonicWall NSA and TZ series devices running SonicOS 6–8, including recent 7.3.0 builds. The attackers, who are believed to have obtained stolen credentials or OTP seeds from earlier exploitation of the CVE-2024-40766 vulnerability, were able to bypass MFA on accounts by exploiting the same vulnerability.
The researchers noted that despite SonicWall releasing updates to harden against brute force and MFA attacks, intrusions continue, even on patched devices. This highlights the ongoing threat posed by vulnerabilities in widely used security systems and the importance of keeping up-to-date with patches and best practices.
The Akira ransomware campaign shows initial access via malicious SSL VPN logins from VPS providers, which is unusual compared to typical broadband or SD-WAN logins. In some attacks, threat actors also used privacy VPNs. Both local and LDAP-synced accounts were targeted, including AD sync accounts not configured for VPN use.
The attackers moved rapidly after gaining access, typically scanning the internal network within five minutes using tools like SoftPerfect and Advanced IP Scanner, targeting RPC/NetBIOS/SMB/SQL ports. They used Impacket (SMB sessions, WMIExec-style quser redirection) and RDP for lateral movement, and deployed AD enumeration with nltest, dsquery, Get-ADUser/Get-ADComputer, SharpShares, BloodHound, ldapdomaindump and related tools.
Threat actors searched for VM storage/backups to access sensitive data and domain credentials, though admins were often obtained by other means before extraction. They used sqlcmd and a novel PowerShell tool (supports MSSQL/Postgres) to extract and decrypt Veeam 11/12 credentials, retrieving DPAPI secrets and salts and temporarily altering PostgreSQL config (with a dated comment) to permit loopback connections.
Attackers created local and domain admin accounts (e.g., sqlbackup, veean), added users to groups like „ESX Admins,‚Äù and installed RMMs (AnyDesk, TeamViewer, RustDesk). To maintain persistence, attackers used SSH reverse tunnels and Cloudflare Tunnel (cloudflared) installed as a service, OpenSSH opened to 0.0.0.0, and scripted installers using Invoke-WebRequest/Start-BitsTransfer.
The researchers pointed out that the most crucial mitigation to this threat is to reset all SSL VPN credentials on SonicWall devices that have ever run firmware vulnerable to CVE-2024-40766, as well as Active Directory credentials on accounts used for SSL VPN access and LDAP synchronization. This highlights the importance of staying up-to-date with patches and best practices to prevent similar attacks in the future.
The discovery of Akira ransomware and its ability to bypass MFA on SonicWall SSL VPNs has significant implications for organizations that rely on these systems for security. It serves as a reminder of the ongoing threat posed by vulnerabilities in widely used security systems and the importance of maintaining robust cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomware-Bypasses-MFA-on-SonicWall-VPNs-A-New-Threat-to-Cybersecurity-ehn.shtml
https://securityaffairs.com/182732/cyber-crime/akira-ransomware-bypasses-mfa-on-sonicwall-vpns.html
Published: Tue Sep 30 02:04:01 2025 by llama3.2 3B Q4_K_M
