[German]If you use SonicWall VPN to access your IT networks, beware. There are reports that the ransomware group Akira is attacking SonicWall VPN accounts. And the group is apparently able to crack accounts that are secured with multi-factor authentication (MFA) under certain conditions.
Attacks on SonicWall SSL VPNs
At the end of July 2025, security researchers at Arctic Wolf observed a sustained and increasing activity by the Akira ransomware group. They targeted SonicWall firewalls and corresponding accounts via SSL VPN login requests. Malicious logins were followed within minutes by port scans, Impacket SMB activity, and the rapid delivery of the Akira ransomware to the affected systems.
The victims came from various industries and companies of different sizes, which suggests opportunistic mass exploitation. In August 2025, I reported on attacks on SonicWall firewalls (SSL VPNs) in general in my blog post Warning of attacks on SonicWall firewalls (SSL VPNs). At that time, it was unclear whether there was a vulnerability behind it.
Recently, a bug was discovered in SonicWall that allowed customer backups to be viewed publicly. I reported on this in my post MySonicWall Cloud Backup File Incident: Configuration backup disclosed. Customer data had been leaked, and the backups also contained account login details.
This campaign by Akira, which targets SonicWall VPN accounts, has recently intensified, with new related infrastructure observed as recently as September 20, 2025. Arctic Wolf published its findings on September 26, 2025, in an article titled Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less (Bleeping Computer picked up on it here).
Old vulnerability CVE-2024-40766
SonicWall links the malicious logins observed in this campaign to CVE-2024-407666. This vulnerability was made public a year ago and allows improper access control, which can lead to unauthorized access to resources and, under certain circumstances, cause the firewall to crash. This issue affects SonicWall Generation 5 and 6 devices, as well as Generation 7 devices running SonicOS 7.0.1-5035 and earlier versions. A security update has been available since that time.
Arctic Wolf suspects that login credentials from devices vulnerable to CVE-2024-40766 may have been stolen at that time and later used by attackers – even if those devices had been patched. This is because the attackers behind the current Akira ransomware campaign managed to successfully authenticate themselves on accounts with MFA enabled for one-time passwords (OTP).
The security experts at Artic Wolf have comprehensively described their findings on the course of an attack and its spread across the network in the article Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less. The article also contains information on indicators of compromise (IoC) and advice on what administrators of a SonicWall firewall should do to secure their systems.
Similar article:
SonicWall SMA 100 firmware update to remove rootkits
Warning of attacks on SonicWall firewalls (SSL VPNs)
Early termination of support for SonicWall SMA100
MySonicWall Cloud Backup File Incident: Configuration backup disclosed
