- From mid-July 2025, there’s been an uptick in malicious logins
- Researchers speculate criminals found a zero-day
- Users are advised to strengthen their cybersecurity posture
There is a chance SonicWall SSL VPN devices are carrying a zero-day vulnerability that Akira’s cybercriminals discovered, and are now using in the wild.
As of mid-July this year, cybersecurity researchers Arctic Wolf Labs observed an uptick in malicious logins, all coming through SonicWall SSL VPN instances. Since some of the endpoints were fully patched at the time of the intrusion, the researchers speculate that they might contain a zero-day flaw.
However, they haven’t ruled out the possibility that the attackers just obtained a set of active login credentials from somewhere and used them to gain access.
On the FBI’s radar
In any case, organizations that suffered these malicious logins also got infected with the Akira ransomware soon after.
“A short interval was observed between initial SSL VPN account access and ransomware encryption,” the researchers explained. “In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”
Until SonicWall comes forward with a patch, or at least an explanation, businesses using these VPNs are advised to enforce multi-factor authentication (MFA), delete inactive and unused firewall accounts, and make sure their passwords are fresh, strong, and unique.
Akira is a ransomware strain that first appeared in March 2023, targeting businesses across various sectors. It is known for gaining the initial foothold through compromised VPN credentials and exposed services.
The group targets both Windows and Linux systems, and is known for dismantling backups to hinder recovery. As of mid-2025, Akira has been responsible for attacks on hundreds of organizations globally, including Stanford University, Nissan Australia, and Tietoevry. The group usually directs its victims to contact them via a Tor-based website.
The FBI and CISA have issued warnings about its activity, urging organizations to implement stronger network defenses and multifactor authentication.
Via The Hacker News
You might also like
