Akira ransomware operators have launched an aggressive campaign targeting SonicWall VPN appliances. Attackers have already breached accounts protected by multi-factor authentication (MFA) successfully, leveraging vulnerabilities in SonicWall Secure Mobile Access (SMA) and SSL-VPN portals. The campaign is characterized by rapid post-compromise activity, including data exfiltration and encryption for double extortion. Learn how to protect your environment from this new targeted campaign in this issue of Cybersecurity Threat Advisory.
What is the threat?
Akira ransomware threat actors are exploiting weaknesses in SonicWall VPN authentication workflows to bypass MFA protections. Once access is gained, attackers quickly perform discovery, stage data for exfiltration, and deploy ransomware payloads. This threat affects organizations using SonicWall SMA and Gen 7 firewalls with SSL-VPN enabled, exposing internal networks to remote compromise.
Why is it noteworthy?
This campaign is especially concerning because it undermines trust in MFA at the remote-access perimeter and significantly compresses defenders’ detection and response windows. Public reports confirm successful SonicWall VPN logins even with MFA enabled, compromising a core security control and posing a major risk to organizations using SonicWall Secure Mobile Access (SMA) / SSL‑VPN.
Attackers operate with a “smash‑and‑grab” tempo, rapidly transitioning from VPN access to internal reconnaissance, staging, and encryption—leaving minimal time for containment. Their use of double extortion, which involves stealing data before encrypting it, increases legal, regulatory, and reputational pressure, even when recovery is possible. Since the initial access bypasses MFA, threat detection becomes more difficult; alerts may only trigger during lateral movement or data exfiltration.
Notably, some incidents have occurred in environments believed to be fully patched and properly configured, suggesting deeper workflow vulnerabilities or emerging threat vectors. Additionally, edge compromises can propagate through third-party or MSP-managed environments, amplifying downstream risk across multiple tenants or sites.
What is the exposure or risk?
Organizations using SonicWall VPNs face serious risks, including remote compromise, data exfiltration, and ransomware deployment. Attackers can gain unauthorized access to internal networks via exposed VPN portals, bypass MFA protections through authentication flaws, and carry out data theft and encryption as part of a double extortion strategy. These actions can lead to significant operational disruption and reputational damage.
Affected products and versions include:
- SonicWall SMA/SSL VPN portals: Multiple vendor-specific versions exposed to the internet, including deployments with MFA enabled.
- SonicOS/Gen 7 firewalls with SSL VPN enabled: Multiple versions depending on firmware and configuration.
What are the recommendations?
Barracuda recommends the following actions to mitigate the threat:
- Enforce patch and credential hygiene:
- Upgrade SonicWall SMA/SSL‑VPN and SonicOS to the latest supported versions. Review PSIRT guidance for CVE‑2024‑40766.
- Reset all SSL‑VPN credentials (local and directory-synced) on devices that previously ran vulnerable firmware.
- Rotate/reseed OTP/MFA secrets to neutralize harvested credentials or OTP seeds.
- Strengthen authentication posture:
- Implement hardware keys or TOTP with number matching. Avoid push-only prompts.
- Monitor for unusual OTP prompts and harden identity architecture.
- Shift VPN authentication to external identity providers (SSO/SAML) and disable local accounts.
- Reduce VPN exposure:
- Restrict access to business-relevant regions with geo-blocking & IP allow lists.
- Block anonymization sources to prevent logins from VPS/anonymization ASNs (common in Akira playbook).
- Lock out failed attempts and enforce device posture (OS/patch/EDR) before session establishment with rate limiting.
- Disable SSL-VPN temporarily If compromise is suspected until credentials and OTP secrets are rotated and controls verified.
- Monitor, detection and threat hunting (first hour focus):
- Alert SSL‑VPN logins from hosting providers/privacy VPNs and repeated OTP challenges followed by success.
- Look for port scanning, impacket SMB session-setup patterns, and rapid AD enumeration (e.g., nltest, dsquery, PowerShell AD cmdlets)
- Monitor RMM tools (AnyDesk, TeamViewer, RustDesk) and archiving/exfiltration utilities (WinRAR, rclone).
- Limit lateral movement and harden EDR:
- Segmentation the network and isolate VPN-reachable subnets and enforce least privilege.
- Keep backups separate from user VLANs.
- Enable tamper protection and block known vulnerable drivers (BYOVD). Akira affiliates have used BYOVD (e.g., via consent.exe sideloading).
- Ensure backup & recovery readiness:
- Secure backup infrastructure by rotating stored credentials/secrets, enforce MFA, and isolate console access.
- Ensure immutable/offline backups are in place and conduct regular restore exercises to meet RTO/RPO targets.
If indicators of compromise is present, take the following access immediately:
-
- Expire all VPN sessions, isolate affected hosts, rotate passwords and OTP seeds, and block client IPs/ASNs observed in intrusions.
- Disable newly created admin accounts, review last 30 days of VPN and AD logs, and triage for signs of data staging or exfiltration.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.