Ethical Hacking News
Akira ransomware has targeted fully patched SonicWall VPNs in a likely zero-day attack, compromising devices with MFA and rotated credentials. Organizations are advised to disable the VPN service, enforce MFA, remove unused accounts, and conduct regular password updates to protect against this emerging threat.
Threat actors behind Akira ransomware have targeted fully patched SonicWall SSL VPNs with a likely zero-day attack. The attackers are using Virtual Private Server (VPS) hosting for VPN logins, which sets them apart from legitimate connections. Arctic Wolf Labs recommends disabling the SonicWall SSL VPN service until a patch is made available and deployed. Enforcing MFA, removing unused firewall accounts, and conducting regular password updates can help mitigate exposure to malicious VPN logins.
Akira ransomware, a highly sophisticated and feared malware family, has been making headlines for its relentless attacks on various organizations across different industries. Recently, the threat actors behind this notorious ransomware gang have set their sights on fully patched SonicWall SSL VPNs in what appears to be a likely zero-day attack. This article delves into the details of this emerging threat and explores the implications for organizations that rely on these secure networks.
In recent weeks, Arctic Wolf Labs researchers have been tracking a surge in ransomware activity targeting SonicWall SSL VPNs. The attacks began to manifest in late July 2025, with similar cases dating back to October 2024. This sudden escalation suggests that the threat actors involved have identified a previously unknown vulnerability in these VPN solutions, which they are exploiting to gain unauthorized access.
Further analysis by Arctic Wolf Labs reveals that fully patched SonicWall devices were still compromised in some instances, despite having enabled two-factor authentication (MFA) and rotating credentials. The researchers suggest that this evidence points to the existence of a zero-day vulnerability, meaning that there is no known patch or fix available for this particular flaw.
This finding has significant implications for organizations that rely on SonicWall VPNs for secure remote access. The attackers are using Virtual Private Server (VPS) hosting for VPN logins, which sets them apart from legitimate VPN connections originating from broadband internet service providers' networks. This distinction highlights the cunning and adaptable nature of these threat actors, who will stop at nothing to exploit vulnerabilities in their pursuit of financial gain.
Arctic Wolf Labs recommends that organizations disable the SonicWall SSL VPN service until a patch is made available and deployed. Furthermore, they advise enforcing MFA for all remote access, removing unused firewall accounts, and conducting regular password updates. To mitigate exposure to malicious VPN logins, organizations can consider blocking authentication from hosting-related Autonomous System Numbers (ASNs), though this may have unintended consequences, such as disrupting operations.
The Akira ransomware family has been active since March 2023, with the threat actors behind this malware having successfully hacked multiple organizations across various industries, including education, finance, and real estate. Notably, they have developed a Linux encryptor to target VMware ESXi servers, further underscoring their commitment to diversifying their attack vectors.
In light of this emerging threat, it is essential for organizations to remain vigilant and take proactive measures to fortify their defenses against the Akira ransomware gang. By staying informed about the latest developments in this space, organizations can better equip themselves to prevent or mitigate potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomwares-Targeting-of-Fully-Patched-SonicWall-VPNs-A-Zero-Day-Vulnerability-Exposed-ehn.shtml
https://securityaffairs.com/180724/cyber-crime/akira-ransomware-targets-sonicwall-vpns-in-likely-zero-day-attacks.html
Published: Sun Aug 3 09:51:30 2025 by llama3.2 3B Q4_K_M
