Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label VPN security breach. Show all posts
Zero-day vulnerability
Akira Ransomware cybersecurity threat SonicWall SSL VPN VPN security breach Vulnerabilities and Exploits Zero-day vulnerability

Possible Zero-Day Exploit in SonicWall SSL VPN Linked to Akira Ransomware Surge

 

Cybersecurity researchers are warning that SonicWall SSL VPN devices may be affected by a possible zero-day vulnerability currently being exploited by Akira ransomware operators.

In mid-July 2025, Arctic Wolf Labs detected a spike in suspicious logins through SonicWall SSL VPN endpoints. Notably, some compromised devices were fully patched, leading researchers to suspect the presence of an undiscovered flaw. However, they also acknowledged the possibility that attackers had obtained valid credentials from another source.

Regardless of the entry method, targeted organizations soon fell victim to Akira ransomware. "A short interval was observed between initial SSL VPN account access and ransomware encryption," Arctic Wolf researchers noted. They further explained that, unlike legitimate VPN logins that usually come from consumer ISP networks, ransomware operators often rely on Virtual Private Server (VPS) hosting for authentication in compromised systems.

Until SonicWall issues a patch or clarifies the situation, experts advise businesses to implement multi-factor authentication (MFA), remove inactive firewall accounts, and ensure all passwords are strong, unique, and regularly updated.

Akira, which first appeared in March 2023, has attacked organizations across various industries, exploiting stolen VPN credentials and exposed services to infiltrate systems. The group targets both Windows and Linux environments, often deleting backups to prevent recovery. By mid-2025, Akira had claimed hundreds of victims worldwide, including Stanford University, Nissan Australia, and Tietoevry. Communications with victims are typically directed through a Tor-based website.

The FBI and CISA have previously warned about Akira’s operations, urging companies to bolster defenses and enforce MFA.

In an official statement, SonicWall confirmed to TechRadar:

"SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.

As always, we will communicate openly with our partners and customers as the investigation progresses. If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.

As a precaution, we strongly urge customers and partners using Gen 7 firewalls to take immediate mitigation steps:

Disable SSLVPN services where practical - the additional mitigations below should be taken in all cases, including where disabling SSLVPN is not practical for the customer

o Limit SSLVPN connectivity to trusted source IPs.
o Ensure Security Services (e.g., Botnet Protection, Geo-IP Filter) are enabled.
o Remove unused or inactive firewall user accounts.
o Promote strong password hygiene.
o Enforce Multi-Factor Authentication (MFA) for all remote access (MFA enforcement alone may not protect against the activity under investigation)."
Read more »
Subscribe to: Posts (Atom)