- From mid -July 2025 there has been an uptick in malicious logins
- Scientists speculate criminals found a zero-day
- Users are advised to strengthen their cyber security position
There is a chance that the Sonicwall SSL VPN devices carry a zero-day vulnerability that Akira’s cyber criminals discovered and now use in nature.
From mid-July this year, CyberSecurity scientists observed Arctic Wolf Labs an uptick in malicious logins, all of which came through Sonicwall SSL VPN deposits. As some of the final points were fully patched at the time of intrusion, the researchers speculate that they may contain a zero-day error.
However, they have not excluded the possibility of attackers just obtaining a set of active login -credentials somewhere and used them to access.
On the FBI’s radar
In any case, organizations suffering from these malicious logins were also infected with Akira -ransomware shortly after.
“A short interval was observed between the initial SSL VPN account access and ransomware encryption,” the researchers explained. “Unlike legitimate VPN login, which typically comes from networks driven by broadband internet providers, ransomware -groups often use virtual private server hosting for VPN approval in compromised environments.”
Until Sonicwall arrives with a patch, or at least an explanation, companies that use these VPNs are advised to enforce multifactor approval (MFA), erase inactive and unused Firewall accounts and make sure their passwords are fresh, strong and unique.
Akira is a ransomware tribe that first appeared in March 2023, and targeted companies across different sectors. It is known to gain the first foothold through compromised VPN legitimation information and vulnerable services.
The group is targeted at both Windows and Linux systems and is known to disassemble backups to prevent recovery. From mid -2025, Akira has been responsible for attacks on hundreds of organizations globally, including Stanford University, Nissan Australia and Tietoevry. The group usually instructs its victims to contact them via a Tor-based site.
The FBI and CISA have issued warnings about its activity and calls on organizations to implement stronger network defense and multifactor authentication.
Via Hacker the news
