ACSC ALERT: Is Your SonicWall VPN an Open Door for Akira Ransomware in Australia?

Executive Summary

On September 10, the Australian Cyber Security Centre (ACSC) issued a high-severity alert confirming that the Akira ransomware group is actively exploiting a critical SonicWall VPN vulnerability (CVE-2024-40766) to breach Australian businesses. The situation is more dangerous than it appears: patching the vulnerability is not enough to secure your network. Attackers are using a procedural loophole involving un-reset credentials to bypass the fix, leaving many organizations exposed despite their compliance efforts. This threat is amplified by Australia's new 2025 mandatory ransomware reporting laws, which can turn a technical breach into a regulatory and legal disaster. This analysis breaks down the technical risk, the severe business impacts, and the necessary steps to truly validate your defenses against this clear and present danger.

The Urgent Threat: What the ACSC is Warning Australian Businesses About

The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) has sounded the alarm for a significant, ongoing cyber threat targeting Australian organizations. In a high-severity alert published on September 10, 2025, the agency confirmed the active exploitation of a critical vulnerability in widely used SonicWall SSL VPNs. This is not a theoretical risk; it is a live campaign with confirmed victims in Australia.  

The threat actor behind these attacks has been identified as the Akira ransomware group, a sophisticated and financially motivated criminal enterprise known for its double-extortion tactics. The ACSC's alert specifically highlights that Akira is leveraging this VPN flaw as an initial access vector to breach corporate networks, with a focus on small and medium-sized businesses as well as critical infrastructure providers. The term "active exploitation" is cybersecurity parlance for a clear and present danger—attackers are successfully using this method to compromise systems right now, making immediate and effective action a necessity for any organization using the affected technology.  

Technical Analysis: Why Patches Are Failing

The vulnerability at the heart of this campaign is CVE-2024-40766, a critical "improper access control" flaw in SonicWall's operating system. In simple terms, it allows a remote attacker to bypass the normal authentication checks required to gain access to a private network via the SSL VPN. However, the true danger lies in a critical nuance that many IT teams are missing, what can be called the "Patching Paradox."  

While SonicWall released a patch for this vulnerability over a year ago, the ACSC confirms attacks are still succeeding. Why? Because the attackers are not always exploiting the unpatched software. Instead, they are leveraging a procedural failure: the failure to reset local SSL VPN user passwords after the patch was applied.  

The attack chain is dangerously simple. Before a patch was applied, attackers exploited the vulnerability to steal a list of valid user credentials. Now, even after an organization has patched its SonicWall device, these attackers can return and simply log in with the old, stolen passwords. This is especially common in businesses that have migrated configurations from older Gen 6 to newer Gen 7 devices without enforcing a full credential reset. Your automated vulnerability scanner will report the device as "patched" and "secure," giving you a false sense of security while an attacker walks in the front door with a stolen key.  

Business Impact: Beyond Downtime to Regulatory Disaster

A successful breach by Akira is not just an IT headache; it is a multi-faceted business catastrophe. The group employs a double-extortion model, meaning they first steal copies of your most sensitive corporate and customer data before encrypting your systems. They then demand a ransom to restore your access and a separate payment to prevent them from leaking your stolen data publicly.  

For Australian businesses in 2025, the financial and operational damage is now compounded by a new and unforgiving regulatory landscape. A ransomware incident now triggers a cascade of legal obligations that can lead to severe penalties. Under the Cyber Security Act 2024, if your business has over $3 million in annual turnover and you make a ransom payment, you are legally required to submit a detailed incident report to the government within 72 hours.  

Furthermore, if customer data is compromised, the breach will likely trigger obligations under the Notifiable Data Breaches scheme and expose your company to class-action lawsuits under the new statutory tort for serious invasion of privacy, which came into effect in June 2025. An attack is no longer just about downtime; it's a legal and compliance crisis that can inflict lasting reputational and financial damage.  

The Solution: Moving from Compliance to Resilience with Adversary Simulation

The Akira-SonicWall campaign proves that a compliance-based, checklist approach to security is no longer sufficient. You cannot rely on a "green" light from a vulnerability scanner to know you are secure. The only way to be certain that your defenses can withstand a real-world attack is to test them against the same tactics, techniques, and procedures used by the adversary.

This is the role of penetration testing and adversary simulation. A comprehensive security assessment doesn't just check if a patch is installed. It simulates the entire attack chain used by Akira—from exploiting the perimeter to using stolen credentials, moving laterally within the network, and attempting to exfiltrate data. It validates not only your technology but also your procedures and your team's ability to detect and respond to an intrusion. This proactive approach moves your organization from a reactive state of compliance to a proactive state of proven resilience.

Call-to-Action

The Akira-SonicWall campaign is a clear and present danger to Australian businesses. Standard security measures are proving insufficient. Contact us today to schedule a comprehensive SonicWall Security Assessment and Adversary Emulation test to validate your defenses before they are put to the ultimate test.