Targeted Exploitation of SonicWall SSL VPNs by Akira Ransomware Affiliates
August 7th, 2025
Critical
Our Cyber Threat Intelligence Unit has identified a targeted campaign where Akira ransomware affiliates are actively exploiting SonicWall SSL VPN interfaces. First observed on July 15, 2025, these intrusions impacted environments with SonicWall appliances that were fully patched, protected by multi-factor authentication, and recently had their credentials rotated. Once initial access is gained, threat actors escalate privileges, move laterally to domain controllers, and deploy Akira ransomware within hours. The intrusion chain typically involves credential theft, staging with trusted tools, and deleting shadow copies before encryption. Virtual Private Server (VPS) infrastructure is extensively used to mask source IP addresses and bypass geolocation controls. SonicWall has acknowledged related reports and is investigating whether the activity stems from a new or previously known vulnerability.
Technical Details
Severity Level: Critical.
Initial Access: Threat actors are believed to be exploiting a previously unknown vulnerability in SonicWall SSL VPN interfaces. Compromise occurred despite fully patched firmware, recent credential rotation, and Multi-Factor Authentication (MFA) using TOTP.
Exploited Components: SonicWall firewalls running SonicOS Gen7, particularly TZ and NSa series devices. Affected firmware includes versions up to 7.2.0R7015.
Persistence Mechanisms: Post-compromise activity may include the use of remote management tools such as AnyDesk or ScreenConnect to maintain access. Persistence appears to rely on native OS mechanisms and credentialed access rather than traditional malware implants
Methodology:
Threat actors gain VPN access through an undetermined exploit path, affecting SonicWall Gen7 SSL VPN interfaces, bypassing standard authentication mechanisms.
No malware is required; adversaries operate interactively using built-in tools and administrator privileges.
After gaining initial access, attackers escalate privileges, move laterally to domain controllers, and deploy Akira ransomware.
Exfiltration and staging are performed using trusted utilities like WinRAR and FileZilla, with encryption following soon after.
Shadow copies are deleted to prepare for ransomware execution, which interrupts data recovery.
Impact
Successful exploitation of this suspected zero-day may result in:
Complete domain compromise through privileged VPN access.
Data exfiltration for double extortion.
Deployment of ransomware (Akira) within hours.
Persistent access mechanisms, including backdoors and RMM tools.
Loss of backups due to shadow copy deletion.
Significant risk of regulatory, operational, and reputational damage.
Detection Method
Due to the suspected zero-day vulnerability in SonicWall SSL VPNs, traditional signature-based detection might be inadequate. Organizations should focus on the following to identify signs of compromise:
VPN Authentication Anomaly Detection: Akira actors gain access via SonicWall SSL VPN, frequently bypassing MFA and exploiting patched devices. Focus on activity from the following Autonomous Systems (ASNs) and set up alerts for successful logins, particularly when linked to dormant accounts, new locations, or unusual session durations:
AS23470 – ReliableSite.Net LLC.
AS215540 – Global Connectivity Solutions LLP.
AS64236 – UnReal Servers, LLC.
AS14315 – 1GSERVERS, LLC.
AS62240 – Clouvider Limited.
Persistence via Remote Management Tools: Threat actors use tools like AnyDesk to gain long-term access. Monitor for unexpected installations or execution of RMM tools from user-controlled paths such as %TEMP%, %APPDATA%, or %PUBLIC%, and create alerts for outbound connections initiated by these binaries.
Lateral Movement and Privilege Escalation: Following initial access, Akira affiliates quickly move to escalate privileges and access domain controllers. Watch for the use of LOLBins (e.g., PsExec, wmic, PowerShell) to execute commands remotely, as well as:
Creation of new administrative accounts
Modification of group memberships
Interactive logins to multiple systems within a short timeframe
Shadow Copy Tampering and Ransomware Preparation: Akira operators regularly delete backup snapshots before encryption. Log attempts to delete shadow copies or manipulate backup infrastructure by monitoring for the following command and similar variations:
vssadmin delete shadows /all /quiet
Tool-Based Staging and Exfiltration Activity: Monitor for the use of tools like Advanced_IP_Scanner, FileZilla, and WinRAR outside their normal context. Watch for any archive creation or FTP activity from unusual hosts or user sessions.
Unauthorized Service or Task Creation: Persistence can also be established via scheduled tasks, services, or registry autoruns. Review endpoint telemetry for suspicious service names, startup entries, and unapproved scheduled jobs configured shortly after VPN session establishment.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Restrict SSL VPN Exposure: Immediately disable SonicWall SSL VPN access unless required. Where required, enforce strict IP whitelisting and monitor for anomalous login attempts originating from VPS infrastructure.
Audit VPN and Privileged Account Activity: Review authentication logs for unusual access patterns, such as logins from unfamiliar IP addresses or legacy accounts.
Harden SonicWall Firewall Configurations: Remove inactive or local accounts with VPN access, enable Botnet Protection and Geo-IP filtering, and enforce least privilege principles on firewall rules and user roles.
Monitor for Lateral Movement and Persistence: Deploy EDR tools to detect misuse of legitimate tools like PsExec, PowerShell, and RMM platforms, and hunt for rogue services, scheduled tasks, or unauthorized administrator accounts created during the intrusion window.
Isolate and Protect Critical Assets: Limit access to domain controllers and internal management networks. Restrict administrative sessions to hardened jump hosts and monitor internal traffic for unusual authentication patterns.
Review Backup Integrity and Shadow Copy Deletion: Ensure backups are stored offline or on immutable infrastructure. Monitor for volume shadow copy deletion events and set up alerts for ransomware pre-encryption activities.
Conclusion
This Akira ransomware campaign demonstrates a high-confidence bypass of existing VPN hardening measures, including patching, MFA, and credential rotation. Several cybersecurity sources have issued guidance on implementing compensating controls and reducing VPN exposure. Taking immediate steps such as restricting VPN access, enhancing visibility, and searching for signs of compromise are essential if organizations are to protect themselves until a patch is released.