Akira SonicWall SSL VPN MFA-bypass campaign
Campaign
Summary
Hide ▲
Show ▼
Akira-affiliated actors are causing widespread compromise of SonicWall SSL VPN devices, with Huntress reporting activity that began on October 4, 2025 and impacted more than 100 accounts across 16 customer environments. The observed logins appear to use valid credentials rather than brute force, and some intrusions included network scanning and attempts to access local Windows accounts. Huntress said authentications on the compromised devices came from 202.155.8[.]73. The disclosure follows SonicWall's report of unauthorized exposure of firewall configuration backup files in MySonicWall accounts, but Huntress said there is no evidence linking that exposure to the recent spike in compromises.
Cases
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Timeline
-
11.10.2025 16:30 1 articles · 7mo ago
Akira-affiliated actors compromise SonicWall SSL VPN devices across 16 customer accounts
Campaign Scope UpdateHuntress warned that Akira-affiliated threat actors rapidly authenticated into multiple accounts across compromised SonicWall SSL VPN devices, affecting more than 100 accounts across 16 customer environments and beginning on October 4, 2025. In some cases the actors disconnected after a short time, while in others they performed network scanning and attempted to access local Windows accounts; authentications on the SonicWall devices originated from 202.155.8[.]73 and appeared to rely on valid credentials rather than brute force.
Show sources
- Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts — thehackernews.com — 11.10.2025 16:30
-
28.09.2025 21:49 4 articles · 8mo ago
Akira campaign compromises SonicWall accounts despite OTP MFA
Initial DisclosureArctic Wolf observed an ongoing Akira ransomware campaign against SonicWall firewalls and SSL VPN accounts in which attackers successfully logged in even when one-time password (OTP) multi-factor authentication was enabled, with the activity tied to CVE-2024-40766 and likely involving reused credentials or previously stolen OTP seeds. After gaining access, the actors reportedly scanned internal networks within 5 minutes, used Impacket, RDP, dsquery, SharpShares, and BloodHound for reconnaissance, targeted Veeam Backup & Replication servers for credential extraction, and used a Bring-Your-Own-Vulnerable-Driver chain with consent.exe, rwdrv.sys, and churchill_driver.sys to disable endpoint defenses.
Show sources
- Akira ransomware breaching MFA-protected SonicWall VPN accounts — www.bleepingcomputer.com — 28.09.2025 21:49
- Akira ransomware breaching MFA-protected SonicWall VPN accounts — www.bleepingcomputer.com — 28.09.2025 21:49
- Akira Hits SonicWall VPNs in Broad Ransomware Campaign — www.darkreading.com — 29.09.2025 23:53
- Half of Ransomware Access Due to Hijacked VPN Credentials — www.infosecurity-magazine.com — 19.11.2025 11:40