Reports indicate that threat actors associated with the Akira ransomware group have been targeting SonicWall devices for initial access. Cybersecurity firm Rapid7 has observed an increase in intrusions involving SonicWall appliances, especially following reports of renewed Akira ransomware activity since late July 2025.
SonicWall disclosed that the SSL VPN activity directed at its firewalls exploited a year-old security vulnerability (CVE-2024-40766, CVSS score: 9.3) where local user passwords were not reset during migration.
The company noted, “We are seeing heightened threat activity from actors trying to brute-force user credentials. To reduce the risk, customers are advised to enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are activated.”
SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a critical weak point in the event of an Akira ransomware attack.
Rapid7 has observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure.
Organizations are advised to rotate passwords on all SonicWall local accounts, remove unused or inactive accounts, configure MFA/TOTP policies, and restrict Virtual Office Portal access to the internal network to mitigate the risk.
Australian Cyber Security Centre (ACSC) has echoed concerns about Akira targeting SonicWall SSL VPNs and striking vulnerable Australian organizations through these devices.
Akira has been a persistent threat in the ransomware landscape since its emergence in March 2023, with 967 victims to date.
Recent Akira ransomware infections have utilized SEO poisoning techniques to distribute trojanized installers for popular IT management tools, leading to the deployment of the Bumblebee malware loader.
The attacks leverage Bumblebee to distribute the AdaptixC2 post-exploitation and adversarial emulation framework, install RustDesk for persistent remote access, exfiltrate data, and deploy the ransomware.
Palo Alto Networks Unit 42 highlighted the versatile nature of AdaptixC2, allowing threat actors to execute commands, transfer files, and perform data exfiltration on infected systems.
Rapid7 outlined the standard attack flow followed by the Akira ransomware group, including obtaining initial access via the SSLVPN component, escalating privileges, stealing sensitive files, deleting backups, and deploying ransomware encryption at the hypervisor level.
