a close up of a network with wires connected to it
| |

Akira ransomware attackers actively exploiting SonicWall SSL VPN

Byinfosectoday.com

Threat actors associated with the Akira ransomware group have intensified their focus on SonicWall devices for initial access. Cybersecurity firm Rapid7 reported a notable increase in intrusions involving SonicWall appliances, particularly following a resurgence of Akira ransomware activity since late July 2025. SonicWall disclosed that the SSL VPN activity targeting its firewalls exploited a year-old security vulnerability (CVE-2024-40766, CVSS score: 9.3), where local user passwords were not reset during migration. The company observed a rise in brute-force attempts on user credentials and recommended that customers enable Botnet Filtering to block known threat actors and implement Account Lockout policies to mitigate risks.

SonicWall also highlighted the importance of reviewing LDAP SSL VPN Default User Groups, labelling it a “critical weak point” if misconfigured in the context of an Akira ransomware attack. This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual Active Directory membership. If this default group has access to sensitive services, any compromised Active Directory account could inherit those permissions, bypassing intended access controls. Rapid7 noted that threat actors have been accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain configurations, can allow public access and enable attackers to configure mMFA/TOTP with valid accounts.

To mitigate these risks, organisations are advised to rotate passwords on all SonicWall local accounts, remove inactive accounts, ensure MFA/TOTP policies are in place, and restrict Virtual Office Portal access to the internal network. The Australian Cyber Security Centre (ACSC) has also acknowledged Akira’s targeting of SonicWall SSL VPNs, particularly against vulnerable Australian organisations. Since its emergence in March 2023, Akira has claimed 967 victims, making it one of the most active ransomware groups, with 40 attacks reported in July 2025 alone. 

Similar Posts