Akira Ransomware’s Targeted Attack on SonicWall VPNs

Between July and October 2025, Akira ransomware operators launched a targeted and widespread campaign exploiting SonicWall SSL VPN infrastructure across multiple sectors and regions. Initial compromise leveraged CVE-2024-40766, an improperly patched vulnerability in SonicOS, alongside credential abuse and misconfiguration exploitation. Akira, known for Ransomware-as-a-Service (RaaS) operations and double extortion, utilized sophisticated lateral movement, credential access, and exfiltration techniques. Notably, threat actors exhibited deep knowledge of internal infrastructure, suggesting pre-acquired credentials and automation.

Severity: High

THREAT DETAILS

1. Initial Access

• Primary vector: Exploitation of CVE-2024-40766, an improper access control flaw in SonicOS (Gen 5, 6, 7).
• Secondary vector: Abuse of stolen or exposed credentials, especially from cloud backup file leaks tied to SonicWall’s MySonicWall platform.
• Devices remained vulnerable even after patching if credentials weren’t reset due to configuration and MFA setup weaknesses.

2.Reconnaissance & Lateral Movement

• Network scanning observed using: Advanced IP Scanner, SoftPerfect.
• Movement achieved through: WinRM (Ruby WinRM Client), RDP using LDAP credentials, SSH sessions to ESXi hypervisors.

3.Credential Access Techniques

• Use of Kerberoasting, Pass-the-Hash, and notably:
  • “UnPAC the hash” leveraging PKINIT and User-to-User (U2U) Kerberos authentication to extract NTLM hashes.

4. Command and Control (C2) Infrastructure

• Using the user agent “Wget”, suspicious payloads were retrieved from:
  • 137.184.243[.]69
  • hxxp://85.239.52[.]96:8000/vmwarecli
  • hxxp://137.184.126[.]86:8080/vmwaretools

5. Data Exfiltration

• Approximately 2 GB of data exfiltrated in one of the observed incident. Data sent via SSH to:
  • 66.165.243[.]39, 107.155.69[.]42, 107.155.93[.]154

6. Ransomware Deployment

• Windows and Linux variants of Akira ransomware deployed.
• Double extortion tactic: Encryption + threat to leak data if ransom unpaid.

7. Victimology

• Impacted organizations spanned globally. Most of the victims observed in North America, Latin America, Europe and Asia-Pacific.
• Sectors affected: organizations across multiple sectors were impacted, most notably those in manufacturing, education, and healthcare.

RECOMMENDATIONS

1. Apply latest firmware updates and hotfixes to all SonicWall SSL VPN appliances.
2. Reset all credentials and secrets on potentially compromised devices: Local admin accounts, VPN pre-shared keys (PSKs), LDAP/RADIUS/TACACS+ bind credentials, Wireless PSKs, SNMP community strings, API tokens, SMTP/FTP credentials, DDNS secrets.
3. Audit and remove stale or unused user accounts, especially with elevated privileges.
4. Mandate MFA for all remote access, including: SonicWall SSL VPN, web admin interfaces, all privileged accounts.
5. Restrict or disable remote WAN management interfaces, including HTTP, HTTPS, SSH, SSL VPN, SNMP.
6. Block internal access to sensitive ports (e.g., 88/Kerberos, 3389/RDP, 49339/DCE-RPC) from unauthorized sources.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/16f4fb1acdb801918e41f3dfff253e2c456f4f9a952b0d5edc8424457131fad6/iocs

Source:

• https://www.huntress.com/blog/sonicwall-sslvpn-compromise
• https://www.darktrace.com/blog/inside-akiras-sonicwall-campaign-darktraces-detection-and-response
• https://www.ampcuscyber.com/shadowopsintel/akira-ransomware-targets-sonicwall-vpns-in-lightning-fast-attacks/
• https://www.ampcuscyber.com/shadowopsintel/sonicwall-devices-targeted-by-akira-ransomware-campaign/
• https://arcticwolf.com/resources/blog/sonicwall-concludes-investigation-incident-affecting-mysonicwall-configuration-backup-files/
• https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.