Akira Ransomware Targeting SonicWall Gen 7 SSLVPN: CVE-2024-40766, Credential Reuse, and Post-Migration Exposure

1. Executive Summary

A cluster of ransomware intrusions attributed to Akira affiliates surged in late July 2025, with defenders reporting initial access via SonicWall Gen 7 (and newer) firewalls where SSLVPN was exposed. According to SonicWall, the activity is not a new zero-day, but shows a “significant correlation” with CVE-2024-40766 and—critically—Gen 6 → Gen 7 migrations where local user passwords were carried over and not reset. (SonicWall notice: Gen 7 SSLVPN recent threat activity)

CVE-2024-40766 is a SonicOS improper access control issue that can enable unauthorised resource access under certain conditions and has been tracked as known-exploited by government and industry reporting since 2024. (SonicWall advisory SNWLID-2024-0015, NVD, CISA KEV add (9 Sep 2024))

Operationally, the highest-risk profile is: publicly reachable SSLVPN, local accounts reused from Gen 6, and insufficient lockout/MFA hardening, followed by rapid post-access actions including domain enumeration, data staging/exfiltration tooling, log clearing, and shadow copy deletion consistent with ransomware playbooks. (Huntress advisory, Arctic Wolf bulletin)

2. Contextual Background

2.1 Nature of the threat

CVE-2024-40766: Improper access control affecting SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorised access and, in some conditions, device instability/crash. (SonicWall advisory SNWLID-2024-0015, NVD, Rapid7 analysis)
Migration-linked exposure: SonicWall states many incidents relate to Gen 6 → Gen 7 migrations where local passwords were carried over and not reset, making brute force/MFA pressure more feasible and credential compromise more likely. (SonicWall notice, NHS England cyber alert)

Important correction to the prompt: public vendor/government reporting frames the issue as improper access control + credential/password carry-over risk, not solely “improper password handling”. The password aspect is highlighted as an incident correlate/mitigation priority in migration cases. (SonicWall notice, Cyber Centre Canada alert)

2.2 Threat-actor attribution

Akira is assessed as a ransomware operation with affiliate-driven intrusions. In this cluster, multiple responders explicitly associate the activity with Akira ransomware deployment, but initial access specifics were initially debated as “likely zero-day” before SonicWall’s correlation to CVE-2024-40766.
- Confidence (NATO/Admiralty): Likely (vendor + multiple responder reporting aligns on Akira deployments; initial-access mechanism can vary by victim). (Arctic Wolf bulletin, Huntress advisory, SonicWall notice)
For broader Akira tradecraft and IR recommendations, refer to the joint government advisory: (CISA/FBI #StopRansomware: Akira)

2.3 Sector and geographic targeting

Public reporting does not restrict targeting to a single vertical; the pattern is consistent with opportunistic access via exposed edge devices affecting organisations with internet-facing SSLVPN. Government and industry alerts (UK and Canada) highlight the cross-sector nature of impacted organisations. (NHS England cyber alert, Cyber Centre Canada alert)

3. Technical Analysis

3.1 Vulnerability and observed TTPs (mapped to MITRE ATT&CK)

The following behaviours are directly described in responder reporting for this cluster:

Initial access
- Exploitation/abuse of internet-facing VPN/edge services consistent with Exploit Public-Facing Application: T1190 and/or Valid Accounts: T1078 (credential carry-over, brute force/MFA pressure). (SonicWall notice, Arctic Wolf bulletin)
- Increased brute-force feasibility and mitigation emphasis (account lockout, updated firmware protections): Brute Force T1110. (SonicWall notice)
Discovery / enumeration
- Use of scanners and built-in tools (e.g., nltest, net group "Domain admins" /dom, AD PowerShell): Remote System Discovery T1018, Account Discovery T1087, Domain Trust Discovery T1482. (Huntress advisory)
Lateral movement enablement / persistence
- Opening RDP firewall rules / enabling remote access: Remote Services T1021 (incl. T1021.001 RDP). (Huntress advisory)
- Installing OpenSSH server and remote tools (AnyDesk/ScreenConnect noted): Remote Services T1021, Ingress Tool Transfer T1105. (Huntress advisory)
Collection / staging / exfiltration
- WinRAR usage for staging and FileZilla fzsftp.exe visibility: Archive Collected Data T1560, Exfiltration Over Alternative Protocol T1048. (Huntress advisory)
Defence evasion / impact preparation
- Event log clearing via PowerShell: Clear Windows Event Logs T1070.001. (Huntress advisory)
- Shadow copy deletion (vssadmin delete shadows /all /quiet): Inhibit System Recovery T1490. (Huntress advisory)

3.2 Exploitation status and PoC considerations

Known exploited: CISA added CVE-2024-40766 to its Known Exploited Vulnerabilities (KEV) catalogue in September 2024, indicating confirmed exploitation. (CISA KEV add (9 Sep 2024), CISA KEV catalogue entry)
2025 wave: SonicWall reports <40 incidents under investigation and ties many to migration password carry-over, with recommended resets and updates to SonicOS 7.3 for improved protections. (SonicWall notice)
Responder view (late July–early Aug 2025): Arctic Wolf reports uptick beginning as early as 22 July 2025 and notes initial access was not “definitively confirmed” at the time, prior to SonicWall’s CVE correlation statement. (Arctic Wolf bulletin)

4. Impact Assessment

4.1 Severity and scope

CVSS (as published via NVD): Refer to NVD for the current scoring and vector for CVE-2024-40766 (scores have varied across secondary reporting; NVD should be treated as the primary reference).
Operational impact: Successful access via SSLVPN commonly precedes rapid compromise of core identity infrastructure; Huntress reports adversaries pivoting “directly to domain controllers within hours” in their incident set. (Huntress advisory)

4.2 Victim profile

Exposed edge/VPN infrastructure: Gen 7 (and newer) SonicWall firewalls with SSLVPN enabled, especially where local users were migrated and credentials were not rotated. (SonicWall notice, NHS England cyber alert)

5. Indicators of Compromise (IOCs)

5.1 IOC table (source-attributed)

Note: IPs/ASNs in these reports are often VPS or privacy infrastructure and are not inherently malicious outside the context of suspicious VPN authentication or post-compromise traffic patterns. (Arctic Wolf bulletin)

Type	Value	Context/Notes	Source
IP	45.86.208[.]240	“Attacker IP” (seen in intrusions originating from SonicWall Gen 7 SSLVPN cluster)	Huntress advisory
IP	77.247.126[.]239	“Attacker IP”; also appears in hosting/ASN listings tied to observed activity	Huntress advisory / Arctic Wolf bulletin
IP	104.238.205[.]105	“Attacker IP”	Huntress advisory
IP	193.239.236[.]149	“Attacker IP” (also listed by Arctic Wolf as VPN client IP in campaign telemetry)	Huntress advisory / Arctic Wolf bulletin
SHA-256	d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d	`w.exe` ransomware executable hash (as reported)	Huntress advisory
SHA-256	1b153070934033deace7f04e77a72abe4e7e259271f885e25d81dc6337a9313d	`win.exe` ransomware executable hash (as reported)	Huntress advisory
File path	`C:\ProgramData\OpenSSHa.msi`	OpenSSH installer observed	Huntress advisory
File path	`C:\programdata\ssh\cloudflared.exe`	Cloudflared executable observed	Huntress advisory

5.2 Detection guidance (practical and source-aligned)

VPN / edge telemetry

Alert on SSLVPN authentications from VPS ASNs or geographies inconsistent with your user base; Arctic Wolf explicitly notes ransomware logins often originate from VPS providers rather than residential ISPs. (Arctic Wolf bulletin)
Monitor for credential stuffing / brute force indicators (bursts of failed logins, lockouts, MFA fatigue patterns) and enforce lockout policies per SonicWall guidance. (SonicWall notice)

Endpoint / server telemetry (Windows)

Shadow copy deletion: match vssadmin delete shadows /all /quiet (explicitly observed). (Huntress advisory)
- Public Sigma: SigmaHQ rule for shadow copy deletion via OS utilities
Event log clearing via PowerShell / utilities (explicitly observed). (Huntress advisory)
- Public Sigma: SigmaHQ suspicious event log clearing and SigmaHQ PowerShell clear-eventlog detection
Cloudflared execution from non-standard locations (explicit file path observed). (Huntress advisory)
- Public Sigma (cloudflared tunnels): Cloudflared tunnel execution detection

6. Incident Response Guidance

6.1 Containment, eradication, recovery

Prioritise these actions in order (adapt to your change-control constraints):

Disable SSLVPN where feasible (both Arctic Wolf and Huntress highlight this as the most reliable risk eliminator during the wave). (Arctic Wolf bulletin, Huntress advisory)
If SSLVPN must remain enabled, restrict by IP allow-list and reduce exposure surface immediately. (Huntress advisory)
Upgrade SonicOS to a current fixed build and apply SonicWall’s 2025 hardening guidance (SonicWall calls out SonicOS 7.3 for enhanced protections). (SonicWall notice)
Rotate/reset all local SSLVPN-capable account passwords, especially migrated accounts from Gen 6 → Gen 7; extend rotation to directory accounts used for SSLVPN where appropriate. (SonicWall notice, NHS England cyber alert)
Hunt for post-compromise tooling: OpenSSH installs, cloudflared presence, WinRAR staging, FileZilla SFTP, creation of new local users, and firewall rule changes enabling RDP/SSH. (Huntress advisory)

6.2 Forensic artefacts to collect

SonicWall: SSLVPN auth logs, admin logins, config export + change history, account lists (local and LDAP mappings), MFA configuration, lockout settings. (SonicWall notice)
Windows: Security/System/Application event logs (note adversary log clearing attempts), PowerShell operational logs, SRUM, scheduled tasks, new user creation events, installed MSI logs for OpenSSH, and evidence of vssadmin usage. (Huntress advisory)

6.3 Lessons learned

Treat edge/VPN appliances as tier-0: apply KEV-driven patching and credential rotation as a standard post-upgrade/migration control, not an optional step. (CISA KEV add, SonicWall notice)

7. Threat Intelligence Contextualisation

7.1 Similar past incidents

In 2024, multiple bodies reported exploitation of CVE-2024-40766 with ransomware interest and urged emergency remediation. (Rapid7 analysis, CISA KEV add)
SonicWall and public reporting repeatedly show attackers monetising edge-device weaknesses (SonicWall SMA and firewall ecosystem), reinforcing the need for a unified “internet edge” hardening programme. (Examples: SonicWall SMA CVE-2021-20016 advisory, NVD (CVE-2021-20016))

7.2 Full MITRE ATT&CK mapping (observed lifecycle)

Tactic	Technique ID	Technique Name	Observed Behaviour
Initial Access	T1190	Exploit Public-Facing Application	Exploitation/abuse of exposed SSLVPN/edge service in line with CVE correlation and responder reporting
Initial Access	T1078	Valid Accounts	Credential reuse/carry-over post-migration; VPN logins preceding ransomware
Credential Access	T1110	Brute Force	SonicWall notes increased brute-force attempts and need for lockout/updated firmware protections
Discovery	T1087	Account Discovery	`net group "Domain admins" /dom`, AD enumeration
Discovery	T1482	Domain Trust Discovery	`nltest` trust/domain discovery
Lateral Movement	T1021.001	Remote Services: RDP	Firewall rule changes to allow RDP inbound
Command and Control	T1105	Ingress Tool Transfer	Deployment of tooling (OpenSSH installer, cloudflared, etc.)
Exfiltration	T1048	Exfiltration Over Alternative Protocol	SSH/FileZilla tooling noted for exfil/staging workflows
Defence Evasion	T1070.001	Clear Windows Event Logs	PowerShell-based log clearing described (incl. Akira `-dellog` behaviour)
Impact	T1490	Inhibit System Recovery	`vssadmin delete shadows /all /quiet` prior to encryption

(Behavioural sourcing: Huntress advisory, SonicWall notice, Arctic Wolf bulletin)

8. Mitigation Recommendations

8.1 Hardening steps (immediate)

Disable SSLVPN if not essential; otherwise IP-restrict and reduce portal exposure. (Huntress advisory, Arctic Wolf bulletin)
Reset all local SSLVPN-capable passwords, prioritising migrated accounts; remove stale/unused users. (SonicWall notice)
Enforce MFA and validate the security of MFA configuration; SonicWall notes improvements in SonicOS 7.3 for brute-force/MFA protections. (SonicWall notice)

8.2 Patch management (prioritisation)

Treat CVE-2024-40766 as top priority due to KEV status and recurring exploitation waves. (CISA KEV add, NVD)
Where patching is constrained, implement interim controls from SonicWall’s notice: firmware upgrades, password resets, lockout policies, and security service enablement (e.g., botnet filtering/Geo-IP). (SonicWall notice)

9. Historical Context & Related Vulnerabilities

9.1 Previously exploited SonicWall ecosystem vulnerabilities (examples)

SonicWall SMA 100 series SQL injection: (SonicWall advisory SNWLID-2021-0001, NVD (CVE-2021-20016))
SonicWall SMA100 post-auth command injection: (SonicWall advisory SNWLID-2023-0018, NVD (CVE-2023-44221))

9.2 Related coverage

Government/health-sector alerts that operationalise SonicWall’s migration-password finding: (NHS England cyber alert, Cyber Centre Canada alert)

10. Future Outlook

Expect continued exploitation of exposed SSLVPN endpoints as long as (1) KEV-listed vulnerabilities remain unpatched, and (2) organisations perform upgrades/migrations without credential rotation and policy hardening. Ransomware operators have strong incentive to keep iterating on edge-device access because it reduces phishing dependency and accelerates access to privileged network zones. (CISA KEV add, SonicWall notice)

11. Further Reading

Vendor & vulnerability

Responder & government reporting