data breaches
CISA Issues Urgent Advisory After Akira Hits SonicWall Infrastructure
Security researchers urge immediate VPN shutdowns as Akira exploits SonicWall SSL VPN access in a sophisticated attack chain possibly involving zero-day exploits or credential compromise.
BRUSSELS – August 2, 2025 | MAG212
A wave of high-impact cyberattacks is sweeping across critical infrastructure in the U.S. and Europe, with the Akira ransomware group exploiting SonicWall SSL VPN appliances to breach networks—even on fully patched systems.
Cybersecurity experts warn that the attack chain is unusually stealthy and technically advanced, raising the possibility of an unpatched zero-day vulnerability, a configuration bypass, or reuse of previously stolen credentials.
“What’s alarming is how Akira is bypassing MFA and session controls,” said Alex Lanstein, Incident Responder at Dragos. “Either they’re using a previously unknown exploit in the SSL VPN stack or they’ve found a clever way to hijack authenticated sessions.”
Technical Breakdown: How the Attack Works
Step 1: Initial Access via SonicWall SSL VPN
- Vector A: Zero-Day Exploit (Suspected)
Attackers may be exploiting an undisclosed vulnerability in SonicWall’s SSL VPN web interface (e.g., stack-based buffer overflow or auth bypass) to gain unauthorized access without valid credentials. - Vector B: Credential Abuse
Alternatively, threat actors may be using valid credentials harvested through:- Infostealer malware
- Previous breaches
- Dark web marketplace purchases
Even with MFA enabled, attackers may be using token reuse, session hijacking, or exploiting flaws in how SonicWall handles MFA sessions (e.g., non-expiry of session cookies or insecure local storage).
Step 2: Post-Exploitation – Lateral Movement
Once inside, Akira operators deploy Cobalt Strike, Sliver, or custom backdoors via:
- Remote Command Execution (RCE) using legitimate tools (e.g., PsExec, WMI)
- Privilege Escalation through kernel exploits or unpatched Windows services
- Credential Dumping using LSASS access or Mimikatz
Step 3: Payload Deployment & Encryption
The Akira payload is typically side-loaded or memory-injected to avoid AV/EDR detection. It uses:
- Symmetric AES-256 encryption for speed
- RSA public-key encryption to lock AES keys
- Exfiltration of sensitive files (often using Rclone or Mega API) before encryption
Encrypted systems display Akira’s ransom note, demanding payment in Bitcoin and threatening to leak data on the group’s Tor leak site.
Human and Business Impact
- One financial firm reportedly lost 3 TB of data within 6 hours.
- A university in Germany was forced to cancel exams and suspend online portals.
- A U.S. logistics company experienced total fleet disruption after servers were encrypted overnight.
“The speed from compromise to detonation is getting shorter. Some organizations are breached and encrypted within hours,” said Rachel Tobac, cybersecurity strategist at SocialProof Security.
Mitigation & Response
Immediate Recommendations:
- Disable SonicWall SSL VPN portals
- Rotate all VPN and admin credentials
- Review session logs for unusual access patterns
- Implement conditional access policies and network segmentation
Detection Tips:
- Look for unusual login times or IP geolocation anomalies
- Monitor for outbound traffic to cloud storage or Tor
- Inspect logs for PowerShell, WMI, or encoded command execution
Long-Term Advice:
- Transition to ZTA (Zero Trust Architecture)
- Replace outdated VPNs with modern SASE frameworks
- Implement offline backups and test disaster recovery drills
SonicWall Response
SonicWall has acknowledged the reports but has not confirmed a vulnerability. In a statement, the company said:
“We are actively investigating these incidents with trusted partners. At this stage, we recommend enhanced monitoring and isolating impacted systems while forensic analysis is ongoing.”
Sources: Huntress Labs, SonicWall Security Advisories, CISA, Red Canary, Malwarebytes Labs, ENISA, Dragos Threat Intel, Cybersecurity & Infrastructure Security Agency (CISA), community telemetry from CERT-EU.