What first looked like a zero-day frenzy has morphed into a layered lesson in attacker ingenuity and configuration pitfalls. SonicWall has retracted early warnings about an undisclosed exploit behind the wave of ransomware assaults on its Gen 7 and newer firewalls. Instead, the company now attributes these attacks to a known vulnerability (CVE‑2024‑40766) and sloppy credential migration practices—plus a newly uncovered second act from Akira affiliates using Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) tactics to evade detection.
Trouble erupted late last week when firms like Arctic Wolf, Huntress, and Mandiant reported that even fully patched SonicWall systems with enforced MFA were compromised via SSL VPN. Within hours, Akira ransomware was detonated inside networks. The speed and stealth were so pronounced users feared a new zero-day was being exploited. SonicWall initially responded on Monday recommending that users disable the SSL VPN on potentially affected units—but have since reversed course late yesterday. They have stated with "high confidence" that no novel vulnerability was involved. Instead, attackers were slipping in through user accounts improperly carried over from Gen 6 appliances without a reset of passwords. This is a misconfiguration SonicWall had previously warned about.
If that wasn't enough, GuidePoint Security has pulled back the curtain on the next phase. Akira affiliates have begun abusing legitimate Windows drivers to evade antivirus and endpoint defenses. Specifically, they’re hijacking rwdrv.sys, a CPU-performance tuning driver from ThrottleStop, to gain kernel-level access, and hlpdrv.sys to disable Microsoft Defender by flipping registry keys via regedit.exe which is a textbook BYOVD maneuver. These evasion tactics have been visible in incident response cases dating back to mid-July.
SonicWall has publicly responded by encouraging users to upgrade to SonicOS 7.3.x, which includes new protections against brute-force, MFA bypass attempts, and reinforces network hygiene recommendations—including credential resets, Geo-IP filtering, botnet protection, and aggressive account auditing. Even with this, if patching isn’t paired with configuration discipline, and visibility guardrail systems can still fall. This campaign underscores that even when infrastructure looks locked down, adversaries are watching for the doors left wide open by legacy habits.
