In late July 2025, Arctic Wolf Labs observed a surge in Akira ransomware intrusions targeting SonicWall SSL VPN appliances. The threat actors are suspected to be exploiting a potential zero-day vulnerability, enabling access to corporate environments despite patched firmware and active multi-factor authentication (MFA). The activity demonstrates a rapid progression from initial access to ransomware deployment, indicating a high level of attacker sophistication.
Severity Level: High
Threat Details
1. Initial Access
- Vector: SonicWall SSL VPNs
- Exploit Details: A zero-day vulnerability is suspected, though not yet confirmed.
- Authentication Bypass: Intrusions occurred even after:
- Full patching of SonicWall firmware
- Credential rotation
- MFA (Time-based One-Time Password) was enabled
2. Observed Behavior
- Attackers initiated VPN logins from VPS-hosted IPs, deviating from normal ISP traffic patterns.
- Short dwell time observed between VPN access and ransomware deployment – suggesting pre-staged ransomware binaries or rapid attack automation.
- Campaign similarities were drawn from earlier events dating back to October 2024.
3. Targeted Technology
- SonicWall SSL VPN appliances
- Arctic Wolf observed the threat on environments with properly configured systems, indicating a deeply rooted vulnerability or previously stolen session tokens.
4. Authentication Infrastructure Used by Threat Actors
Login attempts observed from hosting-related ASNs, which are not inherently malicious but are considered suspicious in this context:
- AS23470 – ReliableSite.Net LLC
- AS215540 – Global Connectivity Solutions LLP
- AS64236 – UnReal Servers, LLC
- AS14315 – 1GSERVERS, LLC
- AS62240 – Clouvider Limited
5. Campaign Timeline
- Spike started: July 15, 2025
- Evidence of similar access patterns: As early as October 2024
Recommendations
- Organizations should consider disabling the SonicWall SSL VPN service until SonicWall confirms or patches the suspected zero-day vulnerability.
- Limit access to VPN endpoints using IP whitelisting or geo-blocking where feasible.
- Threat actors are observed logging into SonicWall SSL VPN accounts via a handful of hosting-related ASNs. In situations where organizations don’t have a valid business reason to allow logins from the below specific ASNs, login attempts can be blocked outright, or otherwise used for detection purposes:
- AS23470 (ReliableSite.Net LLC)
- AS215540 (Global Connectivity Solutions LLP)
- AS64236 (UnReal Servers, LLC)
- AS14315 (1GSERVERS, LLC)
- AS62240 (Clouvider Limited)
- The Veeam-Get-Creds.ps1 PowerShell script includes the following strings
- [System.Security.Cryptography.ProtectedData]::Unprotect
- [System.Security.Cryptography.DataProtectionScope]::LocalMachine
- SqlDatabaseName
Detecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool.
- Maintain up-to-date firmware on all edge appliances. Follow SonicWall’s vulnerability disclosures closely.
- Reassess the MFA mechanism being used. Consider hardware tokens (FIDO2/U2F) instead of software TOTP apps.
- Immediately delete unused SSL VPN-enabled accounts and enforce the principle of least privilege (PoLP).
- Rotate all VPN credentials, especially administrative ones. Avoid password reuse across systems. Enable password change alerts.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/d2f94b7c356ad69517c1cbc6ff16e1c63fe528cb18d6f9c01d92ab4ccb8d2dad/iocs
Source:
- https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
- https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.