Summary:
Since late July 2025, security researchers have observed a resurgence of Akira ransomware activity linked to SonicWall seventh-generation firewalls with SSL VPN enabled. Incidents demonstrate rapid intrusions leveraging SonicWall appliances for initial access, followed by lateral movement, credential theft, defense evasion, and eventual ransomware deployment. While early reporting suggested a possible zero-day, SonicWall has since stated with high confidence that current activity correlates with CVE-2024-40766. Exploitation is particularly common in environments that migrated from Gen 6 to Gen 7 firewalls without resetting local user credentials. This campaign remains active and evolving, with Akira operators adding new techniques to impair detection and accelerate impact.

Key Developments:

Aug 13, 2025

• Akira observed using a -dellog argument to clear Windows event logs during execution, complicating incident response.
  
  
• Updated IoCs include additional ransomware hashes.

August 8, 2025

• Threat actors dropped rwdrv.sys and hlpdrv.sys as part of Bring Your Own Vulnerable Driver (BYOVD) attacks to disable defenses.
  
  
• Activity confirmed from SonicWall devices, including attempts to delete shadow copies and clear event logs before encryption.

August 6, 2025

• SonicWall Advisory: Activity tied to CVE-2024-40766, not a zero-day.
  
  
• Vulnerability impacts SSL VPN and management access, especially in cases of Gen 6 → Gen 7 configuration migrations where local passwords weren’t reset.
  
  
• SonicWall urges firmware updates to 7.3.0 and password resets for all accounts with SSL VPN access.
  
  
• Arctic Wolf notes malicious VPN logins often originate from VPS hosting providers rather than ISPs.

Updated Guidance from Sonic Wall:​

"To ensure full protection, we strongly urge all customers who have imported configurations from Gen 6 to newer firewalls to take the following steps immediately:

• Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional MFA controls. Firmware update guide
• Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
• Continue applying the previously recommended best practices:
  • Enable Botnet Protection and Geo-IP Filtering.
  • Remove unused or inactive user accounts.
  • Enforce MFA and strong password policies.
• If any local administrator accounts have been compromised through CVE-2024-40766, attackers may exploit administrative features such as packet capture, debugging, logging, configuration backup, or MFA control to obtain additional credentials, monitor traffic, or weaken the overall security posture. It is advisable to review any packet captures, logs, MFA settings, and recent configuration changes for unusual activity, and rotate any credentials that may have been exposed (for example LDAP Login/Bind credential).
• Review LDAP SSLVPN Default User Groups
  • https://www.sonicwall.com/support/k...ult-user-groups-security-risk/250813061722917
• We are observing increased threat activity from actors attempting to brute-force user credentials. To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.

We’ll continue to update the KB article with any further developments. We appreciate the continued support from third-party researchers that have helped us throughout this process, including Arctic Wolf, Google Mandiant, Huntress, and Field Effect."

Updated Advisory Link:
https://www.sonicwall.com/support/n...sslvpn-recent-threat-activity/250804095336430

Research Blogs/Available IOCs:
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn