- You explode from Ransomware Akira CVE-2024-40766 to access Sonicwall VPN despite the patches and MFA
- The researchers suspect that OTP seeds were stolen, which allowed the derivation of unique password protections
- Google links attacks on UNC6148 aimed at Sonicwall Sma 100 appliances
Akira's ransomware operators are still finding ways to infiltrate Sonicwall SSL VPN devices, despite the fact that the known vulnerabilities are paveled, and victims who have multifactor authentication (MFA) enabled in all accounts.
Multiple security researchers have confirmed that the attacks take place, but they have different theories (but somewhat similar) about what is really happening.
At the end of July 2025, Arctic Wolf Labs security researchers reported an increase in the beginning of the beginnings of Sonicwall SSL. At that time, the investigators speculated that the final points may have carried out a zero day vulnerability, but later it was confirmed that Akira's criminals were exploiting CVE-2024-40766, an incorrect access control failure discovered and patch, in September 2024.
Tokens with ascent through zero day?
In addition to patching, Sonicwall also urged its clients to restore all VPN SSL credentials, but it seems that these measures were not enough to keep Akira at bay.
Now, Arctic Wolf says he is seeing successful session even with 2FA protected accounts. In a report published earlier this week, the investigators said that multiple unique password challenges (OTP) were issued for the account login attempts before the successful session, indicating that the attackers probably compromised the OTP seeds, or found another way to generate the tokens.
“From this perspective, the credentials would have potentially harvest from the vulnerable devices to CVE-2024-40766 and then used by the actors of threats, even if those same devices were poured. The threat actors in the current campaign were successfully authenticated against the accounts with the password of a time (OTP) characteristic mfa enabled.”
At the same time, Google reported that the stolen OTP seeds were the most likely culprits, but were trapped during a zero day.
“Google Threat Intelligence Group (GTIG) has identified an ongoing campaign of an alleged financial motivated threat actor that we trace as UNC6148, pointing to the appliances of the 100 series of the series of 100 SONICWALL SECUENTE (SMA) totally patching,” Google said in his report. “GTIGe evaluates with a high confidence that UNC6148 is taking advantage of credentials and unique password seeds (OTP) stolen during previous intrusions, which allows them to recover access even after organizations have applied security updates.”
Through Bleepingcomputer
