- Akira ransomware exploits CVE-2024-40766 to access SonicWall VPNs despite patches and MFA
- Researchers suspect OTP seeds were stolen, enabling bypass of one-time password protections
- Google links attacks to UNC6148 targeting patched, end-of-life SonicWall SMA 100 appliances
Akira ransomware operators are still finding ways to infiltrate SonicWall SSL VPN devices, despite known vulnerabilities being patched, and victims having multi-factor authentication (MFA) enabled on all accounts.
Multiple security researchers have confirmed the attacks taking place – but they have different (but somewhat similar) theories on what is actually happening.
In late July 2025, security researchers Arctic Wolf Labs reported an uptick in malicious logins coming through SonicWall SSL VPN instances. At the time, the researchers speculated that the endpoints may have been carrying a zero-day vulnerability, but it was later confirmed that Akira’s criminals were actually exploiting CVE-2024-40766, an improper access control flaw discovered, and patched, in September 2024.
Nabbing tokens via zero-day?
Besides patching, SonicWall also urged its customers to reset all SSL VPN credentials, but it seems these measures were not enough to keep Akira at bay.
Now, Arctic Wolf says it’s seeing successful logins even with 2FA-protected accounts. In a report published earlier this week, the researchers said multiple one-time password (OTP) challenges were issued for account login attempts before successful logins, indicating that the attackers most likely compromised OTP seeds, or found another way to generate the tokens.
“From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.”
At the same time, Google reported that stolen OTP seeds were the most likely culprit, but that they were nabbed through a zero-day.
“Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances,” Google said in its report. “GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates.”
Via BleepingComputer
You might also like
About the Author
