Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access.
Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025.
SonicWall subsequently revealed the SSL VPN activity aimed at its firewalls involved a year-old security flaw (CVE-2024-40766, CVSS score: 9.3) where local user passwords were carried over during the migration and not reset.
“We are observing increased threat activity from actors attempting to brute-force user credentials,” the company noted. “To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.”
SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a “critical weak point” if misconfigured in the context of an Akira ransomware attack —
This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.
This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.
Rapid7, in its alert, said it has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can facilitate public access and enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure.
“The Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” it said.
The cybersecurity vendor told The Hacker news that it has responded to a growing number of customer incidents arising from one or more of the three threats since July, and that it’s now well into the double digits.
“This represents a large increase over the past quarter in terms of SonicWall-based attacks,” Rapid7 said. “In addition, the fact that a specific ransomware group is exploiting these vulnerabilities is cause for concern, but also an opportunity to raise awareness of their IOCs and TTPs to proactively alert security teams.”
To mitigate the risk, organizations are advised to rotate passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA/TOTP policies are configured, and restrict Virtual Office Portal access to the internal network.
Akira’s targeting of SonicWall SSL VPNs has also been echoed by the Australian Cyber Security Centre (ACSC), which acknowledged it’s aware of the ransomware gang striking vulnerable Australian organizations through the devices.
Since its debut in March 2023, Akira has been a persistent threat in the ransomware threat landscape, claiming 967 victims to date, as per information from Ransomware.Live. According to statistics shared by CYFIRMA, Akira accounted for 40 attacks in the month of July 2025, making it the third most active group after Qilin and INC Ransom.
Of the 657 ransomware attacks impacting industrial entities worldwide flagged in Q2 2025, Qilin, Akira, and Play ransomware families took the top three slots, each reporting 101, 79, and 75 incidents, respectively.
Akira maintained “substantial activity with consistent targeting of manufacturing and transportation sectors through sophisticated phishing and multi-platform ransomware deployments,” industrial cybersecurity company Dragos said in a report published last month.
Recent Akira ransomware infections have also leveraged search engine optimization (SEO) poisoning techniques to deliver trojanized installers for popular IT management tools, which are then used to drop the Bumblebee malware loader.
The attacks then utilize Bumblebee as a conduit to distribute the AdaptixC2 post-exploitation and adversarial emulation framework, install RustDesk for persistent remote access, exfiltrate data, and deploy the ransomware.
According to Palo Alto Networks Unit 42, the versatile and modular nature of AdaptixC2 can allow threat actors to execute commands, transfer files, and perform data exfiltration on infected systems. The fact that it’s also open-source means it can be customized by adversaries to fit their needs.
Other campaigns propagating AdaptixC2, the cybersecurity company said, have used Microsoft Teams calls mimicking IT help desk to trick unsuspecting users into granting them remote access via Quick Assist and drop a PowerShell script that decrypts and loads into memory the shellcode payload.
“The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level,” Rapid7 said.
