October 8, 2025

Akira Ransomware Group Utilizing SonicWall Devices for Initial Access

Author09 mins


Latest update – September 18, 2025

On September 17, 2025, SonicWall disclosed a security breach affecting all SonicWall customers with MySonicWall.com cloud backups enabled. The firm detected suspicious activity targeting MySonicWall.com, through which threat actors were able to access backup firewall preference files. These files may supply threat actors with critical information, such as credentials or tokens, as well as all the services and configurations of the firewall. 

If your organization is using MySonicWall, it is recommended you log in to validate whether or not your SonicWall is affected. In the case it is affected, Rapid7 recommends following SonicWall’s remediation guide playbook as well as the credential reset guidance guidelines. This includes any password or token protected service, such as, but not limited to: 

  • Complete password reset of local accounts 

  • Rotation of all TOTP/MFA tokens

  • Resetting of LDAP password and rebinding

  • Resetting any site to site VPN tunnels (L2TP, PPoE, PPTP)

  • Radius or TACACS+ passwords

  • SSO 

  • AWSAPI

More information about the SonicWall security advisory and the Akira ransomware can be found in our original blog below. The Rapid7 MDR team is continually monitoring our customers’ environments for post-exploitation activity using the latest threat detections. As mentioned above, Rapid7 has been sending direct communications to all customers, and we will continue to send these customer updates should more insights and/or guidance become available. 

Customers leveraging Rapid7’s Intelligence Hub can also track the latest developments surrounding Akira, including indicators of compromise (IOCs), Yara rules and emerging TTPs.

Background activity

In August 2024, SonicWall published a security advisory for CVE SNWLID-2024-0015, which was related to improper access control vulnerability for SSLVPN affecting Gen5, Gen6, and Gen7 firewall appliances. This vulnerability allowed unauthorized access to SonicWall in specific conditions. This vulnerability has since been addressed and patches provided from SonicWall.

An expanding threat

Last month, an Akira ransomware campaign kicked off targeting SonicWall devices. SonicWall followed up with a security advisory. Initially, this was believed to be a new emerging threat, but SonicWall has since disclosed that this is related to the August 2024 CVE (SNWLID-2024-0015), in which remediation steps were not successfully completed. Rapid7 responded by sending emergent threat communications to our customers alerting them to this threat and advising them to prioritize patching. Since that time, the Rapid7 Incident Response (IR) team has observed an uptick in intrusions involving SonicWall appliances. 

Following its initial communication last month, SonicWall posted additional security guidance around the SSLVPN Default Users Group Security Risk. This is a security risk which, in certain configurations, can over provision access to SonicWall’s SSLVPN services based on the Default LDAP group configurations. This can allow users who are not permitted to SSLVPN to successfully obtain access to the SSLVPN irrespective of Active Directory configurations. 

Rapid7 has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances. The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users. The Virtual Office Portal in certain default configurations allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts if there is a prior username and password credential exposure. 

Evidence collected during Rapid7’s investigations suggests that the Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations. 

What you should do now

If your organization’s network infrastructure includes SonicWall devices, Rapid7 recommends the following:

  • Rotate passwords on all SonicWall local accounts and remove any unused or inactive SonicWall local accounts. Please reference SonicWall’s official security advisory guidance.

  • Ensure Multi-factor Authentication (MFA/TOTP) policies are configured for SonicWall SSLVPN services. Please reference SonicWall’s official security guidance.

  • Ensure successful mitigation of SSVPN Default Groups Security Risk. Please reference SonicWall’s official security guidance.

  • Ensure the Virtual Office Portal is restricted to LAN/internal access or trusted network access only. Please reference SonicWall’s official security guidance.

  • Ensure all SonicWall appliances are running on the latest patch. Please reference SonicWall’s vulnerability list.

Observed Akira ransomware group activity

The Akira ransomware group has been active since early 2023 and operates under a ransomware-as-a-service (RaaS) model. This group is known to aggressively target edge devices, deploy ransomware to cause an impact to the business, and gather sensitive data. Rapid7 has observed this ongoing campaign targeting SonicWall devices to be consistent with previous activity attributed to Akira. 

The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level.

Because of this, Rapid7 recommends reviewing security posture around the targeted components.

  • Local/site backups should be logically segmented, an MFA requirement should be in place to access cloud or site backups, and backups should be immutable.

  • All virtualization infrastructure should be running the most up-to-date firmware/software to prevent any bypass of security controls.

  • Elevated accounts or service accounts should be added to Group Policy enforcing a restricted group within Active Directory to avoid elevated credential sprawl.

  • Achieve visibility across the environment by deploying security tools to all assets and forwarding relevant log sources to a SIEM.

How Rapid7 is supporting customers

The Rapid7 MDR team is continually monitoring our customers’ environments for post-exploitation activity using the latest threat detections. As mentioned above, Rapid7 has been sending direct communications to all customers, and we will continue to send these customer updates should more insights and/or guidance become available. 

Customers leveraging Rapid7’s Intelligence Hub can also track the latest developments surrounding Akira, including indicators of compromise (IOCs), Yara rules and emerging TTPs.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News