Threat actors belonging to Akira Ransomware Group continue to target Sonicwall devices for initial access.
Cybersecurity company Rapid7 said it observed following a surge in intrusions involving Sonicwall appliances over the past month, particularly reports on updated Akira ransomware activity since late July 2025.
SonicWall then revealed that SSL VPN activity targeting the firewall was involved with a security flaw from a year ago (CVE-2024-40766, CVSS score: 9.3).
“We are observing an increase in threat activity from actors trying to enhance user qualifications,” the company said. “To mitigate risk, customers must block known threat actors and enable botnet filtering to ensure that account lockout policies are enabled.”
SonicWall also encourages users to check the LDAP SSL VPN default user group and describes it as a “critical weakness” if misunderstood in the context of Akira ransomware attacks –
This setting automatically adds all successfully authenticated LDAP users to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services such as SSL VPNs, management interfaces, and unlimited network zones, the compromised ad account will immediately inherit those permissions, even if they do not legitimately require those services.
This effectively bypasses AD group-based access control intended, providing a direct path to the network perimeter as soon as an attacker obtains valid credentials.
In the alert, Rapid7 also observed threat actors accessing virtual office portals hosted by the SonicWall appliance. This allows certain default configurations to promote public access and enable attackers to configure MMFA/TOTP with enabled accounts.
“The Akira Group may use a combination of all three of these security risks to gain unauthorized access and carry out ransomware operations,” it said.
To mitigate risk, organizations recommend spinning passwords on all SonicWall local accounts, deleting unused or inactive SonicWall local accounts, configuring MFA/TOTP policies, and restricting virtual office portal access to internal networks.
Akira’s Sonicwall SSL VPN targeting is also reflected in the Australian Cybersecurity Centre (ACSC), acknowledging that ransomware gangs are aware of vulnerable Australian organizations through their devices.
Since its debut in March 2023, Akira has been a persistent threat in the ransomware threat landscape, claiming 967 casualties so far, following information from Ransomware.live. According to statistics shared by Cyfirma, Akira accounted for 40 attacks in July 2025, becoming the third most active group after Qilin and Inc ransom.
Of the 657 ransomware attacks that affected industrial entities around the world flagged in Q2 2025, the Qilin, Akira and Play Ransomware families won the top three slots reporting 101, 79 and 75 incidents respectively.
Akira has maintained substantial activity with consistent targeting in the manufacturing and transportation sector through the deployment of sophisticated phishing and multi-platform ransomware,” Industrial cybersecurity firm Dragos said in a report released last month.
Recent Achira Ransomware Infections are used to leverage search engine optimization (SEO) addiction technology to provide troiler installers to popular IT management tools, and then to drop Bumblebee malware loaders.
The attack utilizes Bumblebee as a conduit for distributing emulation frameworks after adaptixc2 explosions, and installs rustdesk to deploy persistent remote access, exfiltrate data and ransomware.
According to Palo Alto Networks Unit 42, the multipurpose and modular nature of AdaptixC2 allows threat actors to execute commands, transfer files, and perform data removal on infected systems. The fact that it is also open source means that your enemy can customize it to suit their needs.
According to Cybersecurity Company, other campaigns propagating AdaptixC2 use Microsoft Teams calls to trick unsuspecting users into dropping PowerShell scripts that allow remote access via Quick Assist and load shellcode payloads into memory.
“The Akira ransomware group follows the standard attack flow: gain initial access through the SSLVPN component, escalate privileges, find and steal sensitive files from network shares or file servers, delete or stop backups, and deploy ransomware deployment at the hypervaser level.
Source link
