Akira SonicWall VPN Exploitation Campaign

Darktrace investigated an Akira ransomware campaign in August 2025 that exploited SonicWall SSL VPN devices—primarily leveraging the known CVE-2024-40766 vulnerability, misconfigurations, and stolen credentials—to gain access, move laterally, exfiltrate about 2 GB of data, and attempt to deploy ransomware. The campaign used techniques such as Kerberos PKINIT/U2U “UnPAC the hash,” WinRM and RDP for lateral movement, and downloads from rare external endpoints like 137.184.243[.]69 and 85.239.52[.]96. #Akira #CVE-2024-40766

Keypoints

Akira ransomware affiliates targeted SonicWall SSL VPN devices in July–August 2025, reusing the previously disclosed CVE-2024-40766 vulnerability and exploiting misconfigurations or stolen credentials for initial access.
Darktrace detected reconnaissance, lateral movement, credential access, and data exfiltration in a US customer incident, with ~2 GiB of data uploaded to an Akira-associated endpoint (66.165.243[.]39) before containment.
The attackers used legitimate administrative tools and protocols (WinRM, RDP, SSH) and employed a Kerberos PKINIT + U2U technique (“UnPAC the hash”) to extract NTLM hashes for lateral movement and privilege escalation.
Command-and-control and payload distribution involved rare external endpoints and temporary hosting services (e.g., temp[.]sh) and downloads named like “vmwaretools” from IPs such as 137.184.243[.]69 and 85.239.52[.]96.
Darktrace’s Cyber AI Analyst correlated disparate alerts into a single incident and Autonomous Response took targeted actions (blocking endpoints, sensitive ports, and quarantining devices), limiting further impact.
Multiple other US incidents with similar patterns (vmwaretools downloads or SSH exfiltration to ASN S29802 HVC-AS addresses) suggest a broader Akira campaign possibly run by different affiliates under RaaS.
The campaign highlights the importance of timely patching, fixing misconfigurations (MFA/TOTP setup paths), and monitoring for abuse of legitimate admin tools and Kerberos-based credential theft techniques.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – Used to gain initial access via SonicWall SSL VPN devices by exploiting CVE-2024-40766 (“CVE-2024-40766 is an improper access control vulnerability…”).
[T1590.002 ] Gather Victim Network Information: DNS – Reconnaissance activity included scanning and external lookups to map network services (e.g., connections to advanced-ip-scanner[.]com indicating use of Advanced IP Scanner).
[T1590.005 ] Gather Victim Network Information: IP Addresses – Network scanning revealed IP-level reconnaissance to identify targets and exposed services (“network scan” activity detected at 05:10 UTC).
[T1592.004 ] Gather Victim Host Information: Client Configurations – Attackers queried host services like epmapper and collected client configuration details during reconnaissance (“DCE-RPC requests to the endpoint mapper (epmapper) service”).
[T1595 ] Active Scanning – Use of scanning tools and mass service probes to discover hosts and services (“network scan” and Advanced IP Scanner usage observed).
[T1018 ] Remote System Discovery – Discovery of remote systems and services was performed as part of mapping environment prior to lateral movement (epmapper and scanning activity).
[T1046 ] Network Service Discovery – Probing of RPC/WinRM/RDP services to identify remote management interfaces for use in later lateral movement (“unusual number of DCE-RPC requests” and WinRM connections observed).
[T1083 ] File and Directory Discovery – Actors enumerated files and directories on targets to identify assets for collection or staging (implied by data staging and exfiltration activity).
[T1135 ] Network Share Discovery – Discovery of network shares and accessible resources to facilitate theft and lateral movement (consistent with lateral reconnaissance and credential abuse patterns).
[T1021.001 ] Remote Services: Remote Desktop Protocol – Lateral movement used RDP sessions to ESXi and domain controllers (“connecting to an ESXi device via RDP”).
[T1021.004 ] Remote Services: SSH – SSH was used for exfiltration and potential lateral/remote operations (data uploaded via SSH to external endpoints like 66.165.243[.]39).
[T1021.006 ] Remote Services: Windows Remote Management – WinRM/WSMan was used to remotely manage and move laterally (“user agent ‘Ruby WinRM Client’ and the URI ‘/wsman’ initiating outbound WinRM connections”).
[T1550.002 ] Use Alternate Authentication Material: Pass the Hash – NTLM hash extraction and reuse were part of the credential abuse techniques observed (“returned ST contains the NTLM hash of the credential, which can then be extracted and abused”).
[T1550.003 ] Use Alternate Authentication Material: Pass the Ticket – Kerberos-based ticket manipulation and reuse (U2U/ST behavior) were used to escalate or move laterally (“User-to-User (U2U) authentication… returned ST contains the NTLM hash”).
[T1110.001 ] Brute Force: Password Guessing – Password-guessing and credential abuse were noted as common Akira TTPs for targeting remote access services (initial access via stolen credentials or brute force against RDP/VPN).
[T1649 ] Steal or Forge Authentication Certificates – Attackers downloaded Active Directory certificates (ICertPassage) and used PKINIT to obtain Kerberos tickets (“desktop device fetching an Active Directory certificate from the domain controller…”).
[T1078 ] Valid Accounts – Use of valid or stolen credentials and creation of new domain accounts for persistence and privileged access (“Known to create new domain accounts to maintain access” and reuse of credentials across Kerberos logins).
[T1588.001 ] Obtain Capabilities: Malware – Threat actors obtained tooling and payloads (e.g., “vmwaretools” executable) from rare external hosts for deployment (“ESXi device was observed downloading an executable named ‘vmwaretools’”).
[T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval used web protocols and HTTP(S) downloads from external endpoints (downloads from hxxp://85.239.52[.]96:8000/vmwarecli and hxxp://137.184.126[.]86:8080/vmwaretools).
[T1105 ] Ingress Tool Transfer – Tool and payload transfer to compromised hosts via HTTP/Wget (ESXi downloaded “vmwaretools” using user agent “Wget”).
[T1573 ] Encrypted Channel – Use of encrypted tunnels and services (e.g., Ngrok, Cloudflare Tunnel) reported as part of C2 and remote access toolkit usage by Akira affiliates.
[T1074 ] Data Staged – Evidence of data staging prior to exfiltration and upload events (Anomalous File / EXE from Rare External Location and Possible Data Staging alerts).
[T1041 ] Exfiltration Over C2 Channel – Data exfiltration occurred via connections to known malicious endpoints and C2 infrastructure (2 GB upload to 66.165.243[.]39 over SSH identified as exfiltration).
[T1048 ] Exfiltration Over Alternative Protocol – Exfiltration via SSH and other non-standard channels to external IPs in ASN S29802 HVC-AS (e.g., 107.155.69[.]42 and 107.155.93[.]154).

Indicators of Compromise

[IP Address ] Data exfiltration and C2 endpoints – 66.165.243[.]39 (data exfiltration endpoint), 137.184.243[.]69 (suspected C2/payload host).
[IP Address ] Additional likely C2/exfil endpoints – 85.239.52[.]96 (likely C2; file download hxxp://85.239.52[.]96:8000/vmwarecli), 107.155.93[.]154 (reported Akira-associated exfil endpoint), and 107.155.69[.]42 (probable exfil endpoint).
[URL ] Malicious file download URLs – hxxp://85.239.52[.]96:8000/vmwarecli (file download), hxxp://137.184.126[.]86:8080/vmwaretools (file download).
[File name ] Suspicious payload filenames – “vmwaretools” / “vmwarecli” – downloaded by ESXi devices using user agent “Wget”.
[Domain ] Reconnaissance tool domain – advanced-ip-scanner[.]com – connections indicating use of Advanced IP Scanner during reconnaissance.
[ASN ] Hosting ASN used for exfiltration – S29802 HVC-AS – multiple exfiltration endpoints (107.155.69[.]42, 107.155.93[.]154) and associated activity noted.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print