Arctic Wolf experts warn that Akira ransomware attacks on SonicWall SSL VPN devices continue to evolve. Hackers are successfully logging into accounts even with multi-factor authentication (MFA) enabled using one-time passwords (OTP). It is believed that the attacks may leverage previously stolen OTP seed keys, although the exact method has not yet been confirmed.
Recall that last summer, specialists from Arctic Wolf warned that since July 15, 2025, they had been recording attacks involving the Akira ransomware, and suggested that the criminals might be using a 0-day vulnerability in 7th-generation SonicWall firewalls for this campaign.
Soon after, Huntress researchers confirmed these findings and published their own report containing indicators of compromise collected during the investigation of this campaign.
At the time, experts recommended that administrators temporarily disable SonicWall SSL VPN services due to the high likelihood that a vulnerability associated with them was being used in the attacks.
As SonicWall representatives stated shortly thereafter, the Akira operators exploited an old vulnerability. In other words, the affected users were those who did not follow the vendor’s recommendations to protect against CVE-2024-40766, an unauthorized-access vulnerability that had been patched back in August 2024.
Although the vulnerability was fixed a year ago, attackers continued to use credentials stolen from previously compromised devices even after patches were installed. After the attacks were linked to credential theft, SonicWall strongly recommended that administrators change those credentials and install the latest version of SonicOS.
As reported by Arctic Wolf analysts, the campaign against SonicWall firewalls continues. They emphasize that attackers are successfully logging into accounts even when multi-factor authentication with one-time passwords is enabled.
According to the researchers’ report, multiple OTP checks were performed during login attempts, followed by successful authentication. This suggests that the attackers may have gained access to the one-time password seed keys or found an alternative way to generate valid tokens.
“SonicWall links the malicious logins observed in this campaign to CVE-2024-40766—an access control flaw identified a year ago,” Arctic Wolf writes. “This suggests that credentials could have been harvested from devices that were vulnerable to CVE-2024-40766 and later used by attackers, even if those devices had since been patched. However, in the current campaign, the adversaries are successfully authenticating to accounts with OTP-based MFA enabled.”
After breaching the company’s network, the hackers moved quickly — scanning began in under five minutes. The attackers also used Impacket SMB session setup requests, logged in via RDP, and enumerated Active Directory objects using dsquery, SharpShares, and BloodHound.
The attackers paid particular attention to Veeam Backup & Replication servers. In this case, a custom PowerShell script was used to extract and decrypt stored MSSQL and PostgreSQL credentials, including DPAPI secrets.
To bypass security software, the hackers employed a Bring-Your-Own-Vulnerable-Driver (BYOVD) tactic, abusing the legitimate Microsoft executable consent.exe to load malicious DLLs and vulnerable drivers (rwdrv.sys, churchill_driver.sys). These drivers were then used to disable security processes.
The report emphasizes that some of the attacks affected devices running SonicOS 7.3.0 — the recommended version that SonicWall strongly advises installing to reduce the risk of credential-based attacks.
Researchers write that it’s still unclear exactly how the ransomware operators are bypassing multi-factor authentication, but a separate report by Google Threat Intelligence Group (GTIG) specialists in July described similar abuse of SonicWall VPN services.
As part of that campaign, the UNC6148 group deployed the OVERSTEP rootkit on SMA 100-series devices, reportedly using previously stolen OTP seed keys, which allowed the hackers to maintain access even after updates were installed.
Google believed that the attackers used seed keys stolen during other 0-day attacks. However, the company did not specify which particular vulnerability (CVE) was used by the attackers.