Threat Actors Exploit SonicWall Firewalls to Deploy Akira Ransomware via Malicious Logins

Summary Points

1. Cyberattackers are actively deploying Akira ransomware on SonicWall firewalls since July 2025, exploiting CVE-2024-40766 vulnerability and bypassing multi-factor authentication via malicious SSL VPN logins.
2. The attacker sequence involves quick lateral movement post-login, creating admin accounts, installing remote tools, and disabling security features to facilitate data exfiltration and encryption within hours.
3. Fully patched devices have been compromised by harvesting credentials earlier from vulnerable devices, indicating that patching alone may not prevent attacks if credentials are already stolen.
4. Arctic Wolf advises immediate credential resets, especially for SSL VPN and Active Directory, along with monitoring suspicious VPN logins and SMB activity to mitigate ongoing exploitation.

Key Challenge

Since late July 2025, a wave of cyberattacks has been targeting organizations using SonicWall firewalls with the Akira ransomware, as detected and reported by Arctic Wolf Labs. These malicious campaigns exploit a known vulnerability, CVE-2024-40766, enabling threat actors to bypass multi-factor authentication (MFA) by hacking into SonicWall SSL VPNs—often via credentials harvested from previously compromised devices—regardless of whether the devices have been patched. Once inside, the attackers operate swiftly, often encrypting data within just hours, and employ advanced techniques like creating new admin accounts, disabling security measures, and exfiltrating sensitive data before deploying ransomware. This rapid infiltration and movement pose a significant threat, especially since many devices may have been previously vulnerable, allowing the attackers to leverage stolen credentials even on patched systems.

The story is based on investigations from Arctic Wolf Labs, who detailed how the attackers use compromised credentials to bypass MFA, then scan networks, escalate privileges, and establish persistent access with tools such as remote management software and SSH tunnels. Their goal appears to be to steal data and deploy ransomware as swiftly as possible, making early detection critical. The hackers often originate from VPS hosting providers, emphasizing the opportunistic nature of the campaign, and exploit known vulnerabilities with sophisticated methods, including tampering with endpoint security. Arctic Wolf warns organizations using SonicWall devices to urgently reset all VPN credentials and monitor for suspicious activities like unusual logins or SMB traffic, as mere patching may not be enough if credentials have already been compromised.

Security Implications

Since late July 2025, a surge in highly coordinated cyberattacks has targeted organizations using SonicWall firewalls, predominantly deploying Akira ransomware within hours of breach. Threat actors exploit vulnerabilities such as CVE-2024-40766, often gaining initial access via malicious SSL VPN logins from VPS hosting providers—bypassing multi-factor authentication by harvesting credentials from previously vulnerable devices, including fully patched ones. Once within a network, they rapidly escalate privileges, establish persistent remote access through remote management tools, disable security defenses using kernel-level driver tampering, and exfiltrate sensitive data before deploying ransomware to encrypt critical systems. This swift, opportunistic campaign underscores the pressing need for immediate credential resets, vigilant monitoring of VPN activities, and prompt patching, as even fully updated devices remain at risk. The attack’s brevity—in some cases under an hour—leaves minimal response windows, amplifying the importance of proactive detection and swift mitigation to prevent catastrophic data loss and operational disruption.

Possible Actions

Addressing the issue of threat actors exploiting SonicWall firewalls to deploy Akira ransomware via malicious logins is crucial because it directly impacts organizational security, data integrity, and operational continuity. Rapid and effective remediation can prevent substantial financial loss, reputational damage, and the escalation of cyber threats.

Mitigation Steps

• Immediate Access Control:
  Restrict and monitor admin and user access levels to prevent unauthorized login attempts.

• Patch and Update:
  Ensure SonicWall firmware and related security patches are current to close known vulnerabilities exploited by attackers.

• Enhanced Authentication:
  Implement multi-factor authentication (MFA) for all firewall management and user access points.

• Login Monitoring:
  Deploy advanced intrusion detection systems (IDS) to identify suspicious login activities and alert security teams promptly.

• Threat Intelligence Integration:
  Incorporate threat intelligence feeds to stay aware of emerging exploit techniques and indicators of compromise.

Remediation Steps

• Incident Response Activation:
  Initiate the organization’s incident response protocol to contain and analyze the breach.

• Credential Reset:
  Immediately reset all affected user credentials and review login logs for signs of unauthorized access.

• Malware Removal:
  Scan systems for ransomware and malicious files, removing any detected threats thoroughly.

• System Restoration:
  Restore affected systems and data from secure backups to ensure integrity and continuity.

• Security Policy Review:
  Conduct a comprehensive review of security policies and procedures, implementing necessary improvements to prevent recurrence.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1