InfoSecBulletin Cybersecurity for mankind
Arctic Wolf noted a significant rise in Akira ransomware attacks since late July 2025, focusing on SonicWall SSL VPN accounts. This campaign is still active, with new infrastructure spotted as recently as September 20, 2025.
Akira affiliates are exploiting stolen credentials, even in environments where multi-factor authentication (MFA) is enabled. According to the report, “Threat actors are accessing SSL VPN accounts through credentials likely to have been previously exfiltrated with CVE-2024-40766, including accounts with OTP MFA enabled.”
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The campaign highlights Akira’s ongoing focus on VPNs. Previous attacks exploited vulnerabilities such as CVE-2023-20269 in Cisco ASA and CVE-2020-3259 in Cisco AnyConnect.
Perhaps the most alarming element is the extremely short dwell time. Arctic Wolf warns: “In dozens of recent intrusions, attackers moved from credential access to lateral movement, exfiltration, and encryption in under four hours—with some as fast as 55 minutes.”
This quick timeline gives defenders very little time to react.
To stay ahead of detection, the group continuously shifts its infrastructure. “Threat actors are rotating VPS-based client infrastructure, attempting to evade detection.”
Indicators of compromise include logins from VPS hosting providers instead of standard broadband or enterprise networks, which is something defenders can track.
Victimology spans industries and company sizes, suggesting mass exploitation. As the report notes, “Victims span multiple industries and organisation sizes, indicating opportunistic mass exploitation rather than targeted intrusions.”
SonicWall confirmed that CVE-2024-40766 is being exploited and warned that patched devices could still be at risk if credentials were compromised prior to updates. Their advice includes:
- Reset all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets.
- Update to SonicOS 7.3.0, which introduces brute-force and MFA hardening.
- Remove unused accounts and enforce MFA across all remote access.
- Enable Botnet Protection and other security services.
