- Akira Ransomware Utilizes CVE-2024-40766 to access Sonicwall VPNs in spite of patches and MFA
- Researchers suspected OTP seeds were stolen, enabling bypass of disposable password protection
- Google Links Attacks for UNC6148 Targeted Lapped, End-of-Life Sonicwall SMA 100 appliances
Akira Ransomware operators still find ways to infiltrate Sonicwall SSL VPN devices, despite the fact that known vulnerabilities were patched and victims who have multifactor approval (MFA), enabled in all accounts.
Several security researchers have confirmed the attacks that take place – but they have different (but something similar) theories of what is actually happening.
At the end of July 2025, security researchers reported Arctic Wolf Labs about an uptick in malicious logins that came through the Sonicwall SSL VPN occurrences. At that time, the researchers speculated that the final points may have carried a zero-day vulnerability, but it was later confirmed that Akira’s criminals actually exploited CVE-2024-40766, a wrong access control error discovered and patched in September 2024.
Nabbing tokens via zero-day?
In addition to patching, Sonicwall also called on its customers to reset all SSL VPN Legitimation information, but it seems that these measures were not enough to keep Akira in check.
Now Arctic Wolf says it sees successful login, even with 2FA protected accounts. In a report published earlier this week, the researchers said that several disposable passwords were issued (OTP) challenges for account login experiments before successful login, indicating that attackers are likely to compromise OTP seeds or found another way to generate tokens.
“From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors-self the same devices were patched. Threat players in the current campaign that were successfully authenticated against accounts with the one-time password (OTP) MFA function activated.”
At the same time, Google reported that stolen OTP seeds were the most likely guilty, but that they were tricked through a zero day.
“Google Threat Intelligence Group (GIRL) has identified an ongoing campaign of a suspected economic-motivated threat actor whom we track like UNC6148, and targeted fully patched life life Sonicwall Secure Mobile Access (SMA) 100 series appliances,” Google said in his report. “GIRLS APPLY WITH BELIEVE THAT UNC6148 utilizes seeds to utilize seeds (disposable password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have used security updates.”
Via Bleeping computer
