- Akira Ransomware operates CVE-2024-40766 to access Sonicwall VPN despite the fixes and the MFA
- The researchers suspect that the OTP seeds have been stolen, which allows you to bypass the single password protections
- Google connects attacks to a CBU
Akira ransomware operators still find ways to infiltrate VPN SSL SSL, despite the known vulnerabilities, and victims with multi-factory authentication (MFA) activated on all accounts.
Several security researchers have confirmed the attacks that take place – but they have different theories (but somewhat similar) on what is really going on.
At the end of July 2025, the security researchers Arctic Wolf Labs reported an increase in malicious connections from the instances of SSL VPN Sonicwall. At the time, the researchers hypothesized that the termination criteria may have a zero-day vulnerability, but it was later confirmed that Akira criminals actually operated the CVE-2024-40766, a bad access flaw discovered and corrected in September 2024.
Tokens in the process of zero-day?
In addition to the fix, Sonicwall has also urged its customers to reset all the SSL VPN identification information, but it seems that these measures are not sufficient to keep Akira remotely.
Now, Arctic Wolf says he finds successful connections even with accounts protected by 2FA. In a report published earlier this week, the researchers said that several password challenges (OTP) at a time (OTP) had been issued for connection attempts before successful connections, indicating that the attackers probably compromised OTP seeds or found another way to generate the tokens.
“From this point of view, identification information would have potentially been collected from vulnerable devices to the CVE-2024-4076 and later used by threat actors-even if these same devices were corrected. The threatening actors of the current campaign managed to authenticate against the accounts with the MFA function of single password (OTP).”
At the same time, Google reported that the stolen OTP seeds were the most likely culprit, but that they had been caught for a zero day.
“Google Threat Intelligence Group (GTIG) has identified a campaign underway by a threat of a threat suspected of financial motivation that we follow as UNC6148, targeting end -of -life appliances at the end of life Sonicwall Secure Mobile (SMA),” said Google in its report. “GTIG assesses with great confidence that UNC6148 takes advantage of identification information and password seeds (OTP) stolen during previous intrusions, allowing them to find access even after the organizations applied security updates.”
Via Bleeping Compompute
