SonicWall VPN accounts breached by Akira ransomware -and even those using MFA are at risk

News
By published

How can fully patched, 2FA-protected accounts still be breached?

Laptop with warning symbols over the keyboard
(Image credit: Shutterstock)
  • Akira ransomware exploits CVE-2024-40766 to access SonicWall VPNs despite patches and MFA
  • Researchers suspect OTP seeds were stolen, enabling bypass of one-time password protections
  • Google links attacks to UNC6148 targeting patched, end-of-life SonicWall SMA 100 appliances

Akira ransomware operators are still finding ways to infiltrate SonicWall SSL VPN devices, despite known vulnerabilities being patched, and victims having multi-factor authentication (MFA) enabled on all accounts.

Multiple security researchers have confirmed the attacks taking place - but they have different (but somewhat similar) theories on what is actually happening.

In late July 2025, security researchers Arctic Wolf Labs reported an uptick in malicious logins coming through SonicWall SSL VPN instances. At the time, the researchers speculated that the endpoints may have been carrying a zero-day vulnerability, but it was later confirmed that Akira’s criminals were actually exploiting CVE-2024-40766, an improper access control flaw discovered, and patched, in September 2024.

Nabbing tokens via zero-day?

Besides patching, SonicWall also urged its customers to reset all SSL VPN credentials, but it seems these measures were not enough to keep Akira at bay.

Now, Arctic Wolf says it’s seeing successful logins even with 2FA-protected accounts. In a report published earlier this week, the researchers said multiple one-time password (OTP) challenges were issued for account login attempts before successful logins, indicating that the attackers most likely compromised OTP seeds, or found another way to generate the tokens.

"From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled."

At the same time, Google reported that stolen OTP seeds were the most likely culprit, but that they were nabbed through a zero-day.

"Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances," Google said in its report. "GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates."

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.