Subj : SonicWall VPN accounts breached by Akira ransomware -and even tho To : All From : TechnologyDaily Date : Mon Sep 29 2025 17:00:09 SonicWall VPN accounts breached by Akira ransomware -and even those using MFA are at risk Date: Mon, 29 Sep 2025 15:51:00 +0000 Description: How can fully patched, 2FA-protected accounts still be breached? Security pros have a few ideas. FULL STORY ======================================================================Akira ransomware exploits CVE-2024-40766 to access SonicWall VPNs despite patches and MFA Researchers suspect OTP seeds were stolen, enabling bypass of one-time password protections Google links attacks to UNC6148 targeting patched, end-of-life SonicWall SMA 100 appliances Akira ransomware operators are still finding ways to infiltrate SonicWall SSL VPN devices, despite known vulnerabilities being patched, and victims having multi-factor authentication ( MFA ) enabled on all accounts. Multiple security researchers have confirmed the attacks taking place - but they have different (but somewhat similar) theories on what is actually happening. In late July 2025, security researchers Arctic Wolf Labs reported an uptick in malicious logins coming through SonicWall SSL VPN instances. At the time, the researchers speculated that the endpoints may have been carrying a zero-day vulnerability, but it was later confirmed that Akiras criminals were actually exploiting CVE-2024-40766, an improper access control flaw discovered, and patched, in September 2024. Nabbing tokens via zero-day? Besides patching, SonicWall also urged its customers to reset all SSL VPN credentials, but it seems these measures were not enough to keep Akira at bay. Now, Arctic Wolf says its seeing successful logins even with 2FA-protected accounts. In a report published earlier this week, the researchers said multiple one-time password (OTP) challenges were issued for account login attempts before successful logins, indicating that the attackers most likely compromised OTP seeds, or found another way to generate the tokens. "From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actorseven if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled." At the same time, Google reported that stolen OTP seeds were the most likely culprit, but that they were nabbed through a zero-day. "Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances," Google said in its report. "GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates." Via BleepingComputer You might also like SonicWall VPNs are being targeted by a new zero-day in ransomware attacks Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/sonicwall-vpn-accounts-breached-by-akir a-ransomware-even-those-using-mfa --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .