Arctic Wolf is tracking an evolution in the Akira ransomware campaign against SonicWall SSL VPN in which attackers successfully authenticate despite multi-factor authentication (MFA) being enabled. Logs show multiple one-time password (OTP) challenges that ultimately end in a successful login—behavior consistent with compromised OTP seed keys or an alternative mechanism to generate valid codes.
From suspected zero‑day to exploitation of CVE‑2024‑40766
Arctic Wolf and Huntress initially warned of SonicWall Gen 7 intrusions starting on 15 July 2025, at first suspected to involve a zero‑day. Shortly thereafter, SonicWall attributed related activity to CVE‑2024‑40766, an access control flaw patched in August 2024. Vendors emphasized that organizations lagging on patching were disproportionately impacted, and that attackers continued leveraging previously stolen credentials even after devices were updated—necessitating password resets and upgrades to current SonicOS builds.
Rapid post‑compromise tradecraft: AD reconnaissance and backup targeting
Once inside the VPN, operators move quickly—network probing often begins within five minutes of access. Lateral movement relies on Impacket (SMB session setup) and RDP, followed by Active Directory (AD) enumeration using tools such as dsquery, SharpShares, and BloodHound. This enables rapid privilege escalation paths and identification of high‑value systems.
Backup infrastructure is a priority target. Investigators observed a custom PowerShell script extracting and decrypting saved credentials for MSSQL and PostgreSQL from Veeam Backup & Replication, including secrets protected by Windows DPAPI. By compromising Veeam, actors raise the likelihood of successful extortion and complicate recovery by weakening restore points.
Defense evasion with BYOVD and living‑off‑the‑land components
For endpoint defense evasion, the campaign uses Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD). Attackers abuse the legitimate Windows binary consent.exe to sideload malicious DLLs and load vulnerable drivers such as rwdrv.sys and churchill_driver.sys, then terminate or blind security tooling. Notably, some compromises were observed on devices running recommended SonicOS 7.3.0, reinforcing that credential theft and MFA factor compromise can sustain access even on patched systems.
MFA bypass analysis: probable compromise of OTP seed keys
The precise MFA bypass method is not publicly confirmed. However, repeated OTP prompts culminating in success suggest compromised OTP seed keys or equivalent access to generate valid time‑based codes. A comparable tactic was described by Google’s threat intelligence team in July, linking group UNC6148 to an OVERSTEP rootkit on SonicWall SMA 100 devices and hypothesizing prior theft of OTP seeds that enabled persistence even after updates.
Why seed compromise matters
If an OTP token is derived from a stolen seed key, changing the password alone does not remove attacker access. The affected accounts require complete OTP secret regeneration and re‑enrollment; otherwise, adversaries can continue to derive valid codes in parallel with legitimate users.
Immediate risk reduction and hardening measures
Act now: upgrade SonicOS to the latest supported release; force password resets for administrators and all VPN users; revoke and reissue OTP secrets (MFA re‑enrollment). Restrict SSL VPN by geography and allow‑lists; disable web administration from the WAN.
Authentication hardening
Where supported, migrate VPN authentication to FIDO2/WebAuthn or certificate‑based methods, and enforce device/context controls via conditional access. These factors resist OTP seed theft and phishing.
Countering BYOVD
Enable the Microsoft Vulnerable Driver Blocklist and HVCI/Kernel‑mode Code Integrity; monitor anomalous consent.exe execution and block known‑bad drivers. Maintain EDR with kernel‑tamper detection where possible.
Network and backup resilience
Segment and harden Veeam; use dedicated service accounts with least privilege; store backups in immutable and/or offline repositories; test restoration regularly to validate recovery objectives.
Detection and response
Hunt for Impacket, BloodHound, and RDP brute‑force artifacts; correlate spikes in OTP attempts across VPN portals; monitor AD enumeration patterns; collect network telemetry from chokepoints and deploy EDR on critical hosts. Review Arctic Wolf and Huntress indicators of compromise and match them to internal logs.
Given Akira’s focus on SonicWall SSL VPN and evidence of MFA bypass, organizations should rapidly reassess MFA trust, revoke and rotate OTP seeds, and eradicate footholds. Pair timely SonicOS updates with strong phishing‑resistant authentication, BYOVD mitigations, and robust, immutable backups. These steps reduce the probability of successful extortion and speed recovery should a breach occur.
