In late July 2025, Arctic Wolf identified a surge in ransomware intrusions linked to SonicWall SSL VPNs, with evidence suggesting the exploitation of a likely zero-day vulnerability. Several incidents involved compromised VPN access despite devices being fully patched and protected with TOTP-based MFA. In many cases, accounts were breached shortly after credential rotations, pointing to unauthorized access methods beyond brute force or credential stuffing.
The Akira ransomware group appears to be behind the campaign, with observed activity dating back to October 2024. Attackers are leveraging Virtual Private Server (VPS) infrastructure for VPN authentication, contrasting with typical broadband ISP logins seen in legitimate access.
Arctic Wolf recommends temporarily disabling SonicWall SSL VPN services until official patches are available. Organizations should enable SonicWall log monitoring and deploy Arctic Wolf Agent and Sysmon for enhanced visibility. Customers are also urged to integrate supported Endpoint Detection and Response (EDR) solutions.
Additional hardening measures include enforcing MFA, removing unused accounts, maintaining strong password hygiene, and enabling SonicWall’s security services. Arctic Wolf also advises filtering VPN authentication from specific hosting-related ASNs associated with suspicious activity.
Research is ongoing, and organizations are encouraged to remain alert for further guidance as new intelligence becomes available.
Contact us : Finstein Cyber — Cybersecurity & VAPT Services
#Cybersecurity #Ransomware #AkiraRansomware #SonicWallVPN #ZeroDay #Infosec #ThreatIntel #MFA #VPNSecurity #EDR #ArcticWolf #CyberDefense #Sysmon #IncidentResponse #DataProtection #NetworkSecurity #CISO #ITSecurity
