Akira Ransomware Campaign Against SonicWall Devices Bypasses MFA Protections
Experts from Arctic Wolf warn that the Akira ransomware group continues to refine its attacks on SonicWall SSL VPN devices. Alarmingly, hackers are successfully logging into accounts even when multi-factor authentication (MFA) with one-time passwords (OTP) is enabled. Researchers suspect that previously stolen OTP seed keys may be in use, though the exact technique remains unconfirmed.
Background: Earlier Warnings and SonicWall’s Response
In July 2025, Arctic Wolf first reported Akira-related attacks, suggesting that the criminals may have been exploiting a zero-day vulnerability in SonicWall’s 7th-generation firewalls.
Shortly afterward, Huntress confirmed the activity, publishing indicators of compromise (IOCs) from its own investigations. At that time, experts advised administrators to temporarily disable SonicWall SSL VPN services due to the likelihood of an active exploit.
SonicWall later attributed the attacks to exploitation of an older vulnerability—CVE-2024-40766—an access control flaw patched in August 2024. The company stressed that many affected users had not applied the fix. Even after patches were installed, however, attackers continued to use stolen credentials from previously compromised devices. SonicWall urged administrators to update to the latest SonicOS release and reset credentials.
New Findings: MFA Bypassed
Arctic Wolf’s latest report indicates that the campaign is ongoing and that attackers are authenticating to accounts despite MFA with OTP enabled.
According to the researchers, multiple OTP verification attempts were observed before successful logins—evidence that attackers may have obtained OTP seed keys or discovered another method for generating valid tokens.
“SonicWall attributes the malicious logins observed in this campaign to CVE-2024-40766,” Arctic Wolf notes. “From this perspective, credentials could have been collected from devices vulnerable to CVE-2024-40766 and later used by the attackers, even if those devices had already been patched. However, in the current campaign, the attackers are successfully authenticating to accounts with MFA using one-time passwords enabled.”
Post-Exploitation Activity
Once inside a network, Akira operators moved quickly:
- Scanning began within five minutes.
- Attackers used Impacket SMB requests to establish sessions.
- They logged in via RDP and enumerated Active Directory objects with tools such as dsquery, SharpShares, and BloodHound.
They also targeted Veeam Backup & Replication servers, deploying a custom PowerShell script to extract and decrypt stored MSSQL and PostgreSQL credentials, including DPAPI secrets.
To evade defenses, the hackers used a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique. They abused Microsoft’s legitimate consent.exe executable to load malicious DLLs and vulnerable drivers (rwdrv.sys, churchill_driver.sys), which were then used to disable security processes.
Notably, some of the affected devices were running SonicOS 7.3.0—the very version SonicWall recommends to reduce the risk of credential-based compromise.
Wider Context and Similar Cases
The precise method of MFA bypass remains unclear. However, a July report by Google’s Threat Intelligence Group (GTIG) described a similar campaign in which the UNC6148 group abused SonicWall VPN services. In that case, attackers deployed the OVERSTEP rootkit on SMA 100 series devices and allegedly relied on previously stolen OTP seed keys to maintain access—even after patches were applied.
Google suggested those seed keys had been harvested in earlier zero-day attacks, though it did not identify the specific CVE exploited.
Key Takeaway
The Akira campaign highlights a troubling trend: ransomware operators are finding ways to defeat MFA protections on widely used enterprise devices. Even patched systems remain at risk if credentials or seed keys were previously compromised. Security teams should assume persistence mechanisms may exist and enforce credential resets, log monitoring, and layered defenses beyond patching alone.
