Akira's MFA Bypass Trick Used On SonicWall VPNs

In recent months, cybersecurity researchers have raised concerns about a sophisticated and rapidly evolving Akira ransomware campaign targeting SonicWall SSL VPN appliances. The attackers have demonstrated an unsettling ability to bypass one-time password multifactor authentication (MFA), move laterally through compromised networks in minutes, and deploy ransomware in less than four hours.

The campaign underscores how even well-protected environments remain vulnerable when threat actors combine credential misuse, exploit techniques, and deep knowledge of corporate networks.

Arctic Wolf Labs first detected the surge in late July 2025, when they observed suspicious login activity on SonicWall SSL VPNs followed almost immediately by internal network scanning and ransomware deployment. Those initial intrusions spanned multiple industry sectors and organization sizes, suggesting that the campaign is opportunistic and broad in scope.

Meanwhile, BleepingComputer reported that the threat actors were successfully accessing VPN accounts even when one-time password (OTP) MFA was enabled. Although the exact method remains uncertain, researchers suspect that attackers have obtained stolen OTP seeds or otherwise compromised the MFA flow.

SonicWall linked many of the malicious logins to the improper access control vulnerability CVE-2024-40766. That flaw, disclosed in September 2024 and patched in August 2024, allowed attackers to acquire credentials on vulnerable systems. But attackers did not stop after patching, and it appeared they could continue using previously harvested credentials to gain access to updated systems.

Further, Google's Threat Intelligence Group reported a related campaign targeting the SMA (Secure Mobile Access) line of SonicWall devices, attributing access to credentials and OTP seed reuse from prior intrusions.

Arctic Wolf's investigation reveals how the attack unfolds, step by step. The first link in the attack chain is gaining initial access via SSL VPN. The attackers initiate login attempts to SonicWall SSL VPN interfaces.

A telltale sign is that many of these logins originate from IP addresses within hosting provider or virtual private server (VPS) address spaces, unlike typical user logins. In some cases, logins even emerge from VPN or anonymization service networks.

In over half of observed cases, the targeted accounts had OTP MFA enabled. Yet authentication succeeded. The log events show an OTP challenge, followed soon after by a successful login. Although no malicious changes to OTP configuration (such as re-binding or unbinding) were detected prior to access, the behavior strongly suggests the use of valid credentials and legitimately generated tokens.

The second stage involves processes to secure lateral movement. Within minutes of logging in to the VPN, the attackers begin scanning the internal network. Ports such as 135 (RPC), 445 (SMB), and 1433 (SQL), along with related services, are probed using tools like SoftPerfect Network Scanner or Advanced IP Scanner.

They then leverage the Python Impacket library to establish SMB sessions (for example, via SMBv2). The attackers then enumerate Active Directory using built-in tools (nltest, dsquery, PowerShell's Get-ADUser / Get-ADComputer) and open-source tools like SharpShares and BloodHound.

Further, threat actors also target backup systems. In particular, Veeam Backup & Replication servers became high-value targets. Attackers used custom PowerShell scripts to extract credentials stored in MSSQL or PostgreSQL databases, including DPAPI secrets.

Once lateral movement is achieved, threat actors employ various persistence methods, along with detection evasion measures. Attackers often create new local administrative accounts or domain accounts and elevate them for ongoing access. They deploy remote administration tools such as AnyDesk and TeamViewer to help maintain control.

For stealth, they turn off legitimate endpoint security and snapshot backups. They employ a "bring-your-own-vulnerable-driver" (BYOVD) tactic by sideloading malicious drivers (e.g., rwdrv.sys or churchill_driver.sys) using Microsoft's consent.exe, which is signed and trusted. These drivers manipulate security permissions (ACLs) in kernel mode to disable or block security processes.

To maintain remote access, the attackers use SSH reverse tunnels or Cloudflare's cloudflared tool, typically installing them as services to persist across reboots.

As with ransomware attacks in general, and particularly those using the double extortion tactic, the last step in the attack is data exfiltration and encryption. Before deploying ransomware, attackers stage data by collecting selected files (such as Office documents and database exports) using WinRAR with parameters that filter and archive only the targeted file types. Threat actors then transfer the archives using rclone or SFTP, typically via FileZilla.

Finally, they deploy the Akira ransomware binary (or its variants) to multiple drives and shared folders. Some encryption runs in as little as 55 minutes; most intrusions reach full encryption in under four hours.

Mitigation Recommendations for Defenders

Given the speed and sophistication of this campaign, organizations must adopt proactive and layered defenses:

• Reset credentials aggressively. Any SonicWall device that ever ran firmware vulnerable to CVE-2024-40766 requires all SSL VPN credentials to be reset. Additionally, rotate the associated Active Directory credentials used for LDAP synchronization or VPN access.
• Enforce firmware updates and patch management. Ensure devices run the latest supported versions, SonicOS 7.3.0 or higher.
• Apply network segmentation and restrict VPN access. Limit VPN access only to necessary accounts and enforce least privilege policies. Block access from known hosting or anonymization IP ranges, and disallow VPN logins from countries where your organization does no business.
• Enhance logs and real-time monitoring. Flag SSL VPN logins originating from hosting or VPS networks. Monitor SMB session setup activity consistent with Impacket.
• Consider using SSO/SAML authentication. Arctic Wolf observed that the attackers did not compromise accounts that used SSO/SAML for VPN authentication. Separating identity management from firewall appliances reduces risk.
• Deploy detection for BYOVD tactics. Monitor for unusual use of consent.exe or suspicious kernel driver loads from unusual paths.
• Implement threat hunting and adversary simulations. Search for lateral movement indicators and enumerate likely weaponized tools. Conduct red team testing to ensure controls can detect fast attacks.
• Backup strategy and recovery plans. Maintain immutable backups, isolate them from the network, and regularly test restores. Design recovery plans that assume adversarial infiltration.

The Akira ransomware campaign targeting SonicWall VPNs challenges many assumptions in current security practice. Attackers have demonstrated the ability to bypass MFA, reuse credentials even after patching, move laterally rapidly, and deploy ransomware in under four hours.

Defenders must respond with swift credential resets, tight monitoring, zero-trust VPN design, and threat intelligence–driven detection. The window for intervention is narrow, but organizations that can detect and respond early may be able to blunt the worst of this emerging threat.