Ethical Hacking News
SonicWall's SSL VPN has been targeted by a surge in Akira ransomware attacks, raising concerns about potential zero-day vulnerabilities. Follow the latest updates on this developing story as SonicWall investigates the breach.
SonicWall firewalls with SSL VPN enabled are being targeted by Akira ransomware attacks. The attacks start with breaching the SonicWall appliance, followed by post-exploitation techniques. A suspected zero-day vulnerability exists in firmware versions 7.2.0-7015 and earlier. SonicWall has advised organizations to follow specific steps to mitigate the risk, including disabling SSL VPN services and enforcing multi-factor authentication.
SonicWall, a leading network security vendor, has found itself at the center of a brewing storm of cyber chaos. Following reports of a surge in Akira ransomware attacks targeting SonicWall firewalls with SSL VPN enabled, the company is now actively investigating potential zero-day vulnerabilities.
The situation began to unfold in late July 2025, when Arctic Wolf, a cybersecurity firm, revealed that it had identified a significant increase in Akira ransomware activity. The attackers were targeting SonicWall SSL VPN devices for initial access, using previously undisclosed exploits. Huntress, another cybersecurity company, corroborated Arctic Wolf's findings and reported detecting over 20 different attacks tied to the latest attack wave.
According to the analysis by Huntress, the attack chains commence with the breach of the SonicWall appliance, followed by the attackers taking a "well-worn" post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft. The bad actors methodically disabled Microsoft Defender Antivirus and deleted volume shadow copies prior to deploying Akira ransomware.
The cybersecurity firm noted that there is evidence to suggest that the activity may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled. Moreover, the suspected flaw exists in firmware versions 7.2.0-7015 and earlier. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.
In response to this emerging threat, SonicWall has advised organizations using Gen 7 firewalls with SSL VPN services to follow specific steps:
1. Disable SSL VPN services where practical
2. Limit SSL VPN connectivity to trusted IP addresses
3. Activate services such as Botnet Protection and Geo-IP Filtering
4. Enforce multi-factor authentication
5. Remove inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
6. Encourage regular password updates across all user accounts
The development comes at a time when cybersecurity experts are already on high alert due to the rising threat landscape. With numerous zero-day vulnerabilities being exploited globally, organizations must remain vigilant and proactive in securing their networks.
As SonicWall investigates this potential zero-day vulnerability, it highlights the importance of staying informed about emerging threats and taking swift action to mitigate risks. Cybersecurity professionals must be proactive in monitoring their systems for signs of suspicious activity and promptly addressing potential vulnerabilities before they escalate into full-blown attacks.
In conclusion, the recent surge in Akira ransomware attacks targeting SonicWall firewalls with SSL VPN enabled underscores the need for robust network security measures. As SonicWall works to determine if a zero-day vulnerability is responsible for this recent wave of attacks, it serves as a reminder that cybersecurity must be an ongoing effort. Organizations must prioritize proactive threat detection and response strategies to safeguard against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/SonicWalls-SSL-VPN-Zero-Day-Nightmare-A-Brewing-Storm-of-Cyber-Chaos-ehn.shtml
https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html
https://en.wikipedia.org/wiki/Akira_(ransomware)
https://attack.mitre.org/groups/G1024/
Published: Tue Aug 5 01:56:26 2025 by llama3.2 3B Q4_K_M
