The Akira ransomware operation continues to evolve its tactics in a campaign targeting SonicWall SSL VPN devices, successfully breaching networks even where one-time password (OTP) multi-factor authentication (MFA) is enabled.
Researchers at cybersecurity firm Arctic Wolf have observed multiple successful login attempts despite OTP challenges being issued, suggesting that the attackers may be leveraging previously stolen OTP seeds or exploiting another unknown mechanism to generate valid authentication tokens.
The attacks follow earlier reports from July warning that Akira actors were exploiting SonicWall devices, initially suspected to be through a zero-day vulnerability. SonicWall later linked the activity to CVE-2024-40766, an improper access control flaw disclosed in September 2024.
Now Arctic Wolf reports that attackers are still breaching networks using credentials likely harvested before the patch. In these cases, MFA protection has proven ineffective.
“Threat actors obtained initial access through malicious SSL VPN logins with successful OTP Multi-Factor Authentication (MFA) challenge, and deployed Akira ransomware,” the company noted in its report. “Early in the kill chain, anomalous SMB activity was observed, pointing to the use of Impacket for discovery and lateral movement.”
A report from Google’s Threat Intelligence Group (GTIG) described similar intrusions by a financially motivated group tracked as UNC6148. The actors reportedly deployed the OVERSTEP rootkit on SonicWall SMA 100 appliances, exploiting previously stolen OTP seeds to maintain access even after security patches were applied. Following the report, SonicWall released a firmware update designed to help customers detect and remove rootkit malware found on its SMA 100 series devices.
Once inside targeted networks, Akira ransomware affiliates moved quickly, scanning internal systems within five minutes of entry. The attackers utilized tools such as BloodHound, SharpShares, and Impacket to map network resources and escalate privileges. They also targeted Veeam Backup & Replication servers, extracting encrypted database credentials using a custom PowerShell script.
To evade detection, the attackers employed a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique, using Microsoft’s legitimate consent.exe to sideload malicious DLLs and load vulnerable drivers like rwdrv.sys and churchill_driver.sys. The drivers were used to disable endpoint protection, clearing the way for ransomware deployment.
Security researchers warn that even systems running the latest SonicOS 7.3.0 firmware have been impacted.
Earlier this month, SonicWall warned that threat actors breached its MySonicWall cloud backup service for firewalls and accessed encrypted backup firewall preference files stored in the cloud. It’s currently unclear if this incident and the Akira ransomware attacks are connected.
Either way, organizations using SonicWall SSL VPN devices are strongly recommended to reset all credentials, reconfigure OTP secrets, and continuously monitor for suspicious activity even on fully patched systems.