The Akira ransomware group exploited **CVE-2024-40766**, an improper access control flaw in **SonicWall SonicOS SSL VPN**, to breach organizations in under four hours. Attackers reused stolen credentials—harvested months prior from unpatched or improperly secured Gen 6-to-Gen 7 firewall upgrades—bypassing MFA via misconfigured **SSLVPN Default Users Group** settings and OTP manipulation. Once inside, they conducted lateral movement via **SMB (Impacket)**, **RDP**, and **Domain Controller compromise**, exfiltrating data using **WinRAR, rclone, and FileZilla** before deploying **Akira ransomware**. The attack disabled **EDR tools**, deleted **Shadow Copies**, and cleared **event logs**, crippling recovery efforts. Victims spanned multiple industries, with SonicWall’s cloud backup service also targeted separately. The breach highlights credential reuse risks, even on patched systems, and the speed of modern ransomware operations. Organizations were urged to reset **all SSL VPN/LDAP credentials** and monitor for **VPS logins, SMB anomalies, and unauthorized archival tools** to mitigate future intrusions.
Source: https://www.helpnetsecurity.com/2025/09/29/akira-ransomware-sonicwall-vpn/
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son0492204092925",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Multiple (opportunistic targeting)',
'location': 'Global',
'size': 'Varies (SMB to enterprise)',
'type': ['private organizations',
'public sector (potential)']}],
'attack_vector': ['exploitation of public-facing application (CVE-2024-40766)',
'valid accounts (stolen SSL VPN credentials)',
'misconfigured SonicWall SSLVPN Default Users Group',
'OTP MFA bypass via Virtual Office Portal'],
'customer_advisories': ['Organizations using SonicWall Gen 6/7 firewalls '
'should assume credential compromise if '
'CVE-2024-40766 was unpatched pre-August 2024',
'Monitor for signs of Akira ransomware (e.g., .akira '
'extensions, ransom notes)',
'Prepare for potential data breach notifications if '
'exfiltration occurred'],
'data_breach': {'data_encryption': 'Yes (Akira ransomware)',
'data_exfiltration': 'Yes (via rclone/FileZilla to '
'attacker-controlled VPS)',
'personally_identifiable_information': 'Likely (not '
'specified)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive corporate data',
'Potentially PII',
'Virtual machine storage',
'Backup data']},
'date_detected': 'July 2025',
'date_publicly_disclosed': '2025-07',
'description': 'Akira ransomware affiliates are exploiting stolen SonicWall '
'SSL VPN credentials (including CVE-2024-40766) to breach '
'organizations in under four hours. Attackers bypass MFA, '
'conduct lateral movement via SMB/RDP, exfiltrate data using '
'tools like WinRAR/rclone, and deploy Akira ransomware. '
'Initial access leverages credentials harvested months prior '
'from unpatched or misconfigured SonicWall devices. '
'Opportunistic attacks span multiple industries, with rapid '
'execution requiring urgent detection/response measures.',
'impact': {'brand_reputation_impact': 'High (public disclosure of breaches)',
'data_compromised': 'Yes (exfiltrated prior to encryption)',
'identity_theft_risk': 'Potential (PII likely exfiltrated)',
'operational_impact': ['system encryption',
'data exfiltration',
'disruption of backup/recovery processes'],
'systems_affected': ['Domain Controllers',
'virtual machine storage',
'backup systems',
'endpoints with RMM/EDR tools']},
'initial_access_broker': {'backdoors_established': ['Additional domain '
'accounts created',
'RMM tools installed',
'C2 channels established'],
'data_sold_on_dark_web': 'Likely (credentials '
'traded prior to attacks)',
'entry_point': ['SonicWall SSL VPN (via '
'CVE-2024-40766 or stolen '
'credentials)',
'Misconfigured SSLVPN Default Users '
'Group',
'Virtual Office Portal (OTP MFA '
'bypass)'],
'high_value_targets': ['Domain Controllers',
'Virtual machine storage',
'Backup systems'],
'reconnaissance_period': 'Months (credentials '
'harvested in prior '
'intrusions)'},
'investigation_status': 'Ongoing (active attacks observed as of July 2025)',
'lessons_learned': ['Credential rotation is critical even after patching '
'(attackers reuse old credentials)',
'MFA bypass techniques (e.g., Virtual Office Portal '
'abuse) require additional controls',
'Rapid attack timelines (<4 hours) necessitate real-time '
'detection capabilities',
'Default configurations (e.g., SSLVPN Default Users '
'Group) can introduce risk',
'LDAP-synchronized accounts require strict access '
'reviews'],
'motivation': ['financial gain (ransomware)', 'data theft (double extortion)'],
'post_incident_analysis': {'corrective_actions': ['Mandate credential '
'rotation after critical '
'vulnerability patches',
'Audit all LDAP group '
'mappings to sensitive '
'services',
'Implement behavioral '
'detection for '
'Impacket/rclone usage',
'Segment networks to limit '
'Domain Controller exposure',
'Deploy application control '
'to block unauthorized '
'remote tools'],
'root_causes': ['Failure to rotate credentials '
'after patching CVE-2024-40766',
'Overprivileged LDAP-synchronized '
'accounts in SSLVPN Default Users '
'Group',
'Lack of MFA resilience (OTP '
'bypass via Virtual Office Portal)',
'Insufficient monitoring for rapid '
'attack patterns (<4 hours)',
'Default configurations enabling '
'lateral movement (SMB/RDP)']},
'ransomware': {'data_encryption': 'Yes (AES + RSA hybrid)',
'data_exfiltration': 'Yes (double extortion)',
'ransomware_strain': 'Akira'},
'recommendations': [{'category': 'Prevention',
'items': ['Reset all SonicWall credentials (SSL VPN, OTP '
'secrets, LDAP sync accounts)',
'Patch CVE-2024-40766 immediately if unpatched',
'Disable Virtual Office Portal if unused',
'Review SSLVPN Default Users Group '
'configuration',
'Implement network segmentation to limit '
'lateral movement']},
{'category': 'Detection',
'items': ['Monitor for logins from VPS hosting providers',
'Alert on anomalous SMB/LDAP activity '
'(Impacket usage)',
'Track execution of archival tools (WinRAR) in '
'unusual locations',
'Detect rclone/FileZilla usage on servers',
'Monitor for unauthorized RMM/EDR tool '
'disablement']},
{'category': 'Response',
'items': ['Isolate compromised SonicWall devices '
'immediately',
'Assume total credential compromise; rotate '
'all passwords/secrets',
'Engage incident response team within <4 hours '
'of detection',
'Preserve logs (attackers clear event logs)',
'Notify law enforcement if ransomware '
'deployed']}],
'references': [{'date_accessed': '2025-07', 'source': 'Arctic Wolf Research'},
{'date_accessed': '2025-07', 'source': 'Rapid7 Analysis'},
{'date_accessed': '2024-08',
'source': 'SonicWall Security Advisory (CVE-2024-40766)'}],
'regulatory_compliance': {'regulatory_notifications': 'Recommended (if PII '
'breached)'},
'response': {'containment_measures': ['Reset all SonicWall credentials (SSL '
'VPN, OTP MFA secrets, LDAP sync '
'accounts)',
'Block logins from VPS hosting '
'providers',
'Disable Virtual Office Portal if '
'unused'],
'enhanced_monitoring': ['Anomalous SMB activity (Impacket)',
'LDAP discovery activity',
'Execution of network scanning/archival '
'tools (WinRAR, rclone)',
'Logins from VPS providers'],
'incident_response_plan_activated': 'Recommended (not specified '
'per victim)',
'network_segmentation': 'Recommended',
'recovery_measures': ['Restore from offline backups (if '
'available)',
'Rebuild Domain Controllers',
'Reimage compromised systems'],
'remediation_measures': ['Patch CVE-2024-40766 (if unpatched)',
'Rotate all credentials with SSL VPN '
'access',
'Review LDAP group mappings',
'Implement network segmentation'],
'third_party_assistance': ['Arctic Wolf (research)',
'Rapid7 (research)']},
'stakeholder_advisories': ['Reset all SonicWall credentials (including '
'LDAP-synchronized accounts)',
'Review MFA configurations for OTP vulnerabilities',
'Audit SSL VPN access logs for anomalous activity'],
'threat_actor': {'attribution_confidence': 'High',
'motivation': ['financial gain', 'opportunistic'],
'name': 'Akira ransomware affiliates',
'sophistication_level': 'Moderate to High'},
'title': 'Akira Ransomware Attacks Exploiting SonicWall SSL VPN Vulnerability '
'(CVE-2024-40766)',
'type': ['ransomware', 'data breach', 'credential abuse', 'lateral movement'],
'vulnerability_exploited': [{'cve_id': 'CVE-2024-40766',
'description': 'Improper access control flaw in '
'SonicWall SonicOS management '
'access and SSL VPN',
'exploitability': 'High (active exploitation '
'observed)',
'patch_available': 'Yes (August 2024)'},
{'description': 'Misconfiguration in SonicWall '
'SSLVPN Default Users Group '
'(auto-adds LDAP users to '
'privileged local group)',
'exploitability': 'High',
'patch_available': 'No (configuration issue)'}]}