Zero-Day Suspected in SonicWall SSL VPN Attacks by Akira

In late July 2025, Arctic Wolf Labs observed a surge in Akira ransomware intrusions targeting SonicWall SSL VPN appliances. The threat actors are suspected to be exploiting a potential zero-day vulnerability, enabling access to corporate environments despite patched firmware and active multi-factor authentication (MFA). The activity demonstrates a rapid progression from initial access to ransomware deployment, indicating a high level of attacker sophistication.

Severity Level: High

Threat Details

1. Initial Access

• Vector: SonicWall SSL VPNs
• Exploit Details: A zero-day vulnerability is suspected, though not yet confirmed.
• Authentication Bypass: Intrusions occurred even after:
  • Full patching of SonicWall firmware
  • Credential rotation
  • MFA (Time-based One-Time Password) was enabled

2. Observed Behavior

• Attackers initiated VPN logins from VPS-hosted IPs, deviating from normal ISP traffic patterns.
• Short dwell time observed between VPN access and ransomware deployment – suggesting pre-staged ransomware binaries or rapid attack automation.
• Campaign similarities were drawn from earlier events dating back to October 2024.

3. Targeted Technology

• SonicWall SSL VPN appliances
• Arctic Wolf observed the threat on environments with properly configured systems, indicating a deeply rooted vulnerability or previously stolen session tokens.

4. Authentication Infrastructure Used by Threat Actors

Login attempts observed from hosting-related ASNs, which are not inherently malicious but are considered suspicious in this context:

• AS23470 – ReliableSite.Net LLC
• AS215540 – Global Connectivity Solutions LLP
• AS64236 – UnReal Servers, LLC
• AS14315 – 1GSERVERS, LLC
• AS62240 – Clouvider Limited

5. Campaign Timeline

• Spike started: July 15, 2025
• Evidence of similar access patterns: As early as October 2024

Recommendations

1. Organizations should consider disabling the SonicWall SSL VPN service until SonicWall confirms or patches the suspected zero-day vulnerability.
2. Limit access to VPN endpoints using IP whitelisting or geo-blocking where feasible.
3. Threat actors are observed logging into SonicWall SSL VPN accounts via a handful of hosting-related ASNs. In situations where organizations don’t have a valid business reason to allow logins from the below specific ASNs, login attempts can be blocked outright, or otherwise used for detection purposes:
   • AS23470 (ReliableSite.Net LLC)
   • AS215540 (Global Connectivity Solutions LLP)
   • AS64236 (UnReal Servers, LLC)
   • AS14315 (1GSERVERS, LLC)
   • AS62240 (Clouvider Limited)
4. The Veeam-Get-Creds.ps1 PowerShell script includes the following strings
   • [System.Security.Cryptography.ProtectedData]::Unprotect
   • [System.Security.Cryptography.DataProtectionScope]::LocalMachine
   • SqlDatabaseName
     
     Detecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool.
5. Maintain up-to-date firmware on all edge appliances. Follow SonicWall’s vulnerability disclosures closely.
6. Reassess the MFA mechanism being used. Consider hardware tokens (FIDO2/U2F) instead of software TOTP apps.
7. Immediately delete unused SSL VPN-enabled accounts and enforce the principle of least privilege (PoLP).
8. Rotate all VPN credentials, especially administrative ones. Avoid password reuse across systems. Enable password change alerts.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/d2f94b7c356ad69517c1cbc6ff16e1c63fe528cb18d6f9c01d92ab4ccb8d2dad/iocs

Source:

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
• https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.