SonicWall investigates possible zero-day amid Akira ransomware surge

Threat Score:

10 articles

100.0% similarity

17 hours ago

Activity Timeline

10 articles

Click to navigate

Aug 04

Aug 05

Oldest

Latest

Key Insights

SonicWall has reported a significant surge in cyberattacks targeting Gen 7 firewalls with SSLVPN enabled over the past 72 hours, indicating a potential zero-day vulnerability being exploited.

Multiple cybersecurity firms, including Arctic Wolf and Huntress, have confirmed that the Akira ransomware is being deployed through these attacks, with indications of bypassing multi-factor authentication (MFA).

SonicWall has urged administrators to disable SSLVPN services immediately to mitigate risks, citing that intrusions have been observed even on fully-updated devices with MFA enabled.

Arctic Wolf Labs noted a strong likelihood of credential access methods such as brute force and credential stuffing, although the initial access vectors remain unconfirmed.

SonicWall is collaborating with leading cybersecurity firms like Google Mandiant to investigate the attacks and determine whether they stem from an existing vulnerability or a new exploit.

The ongoing attacks target Gen 7 SonicWall firewalls running various firmware versions, posing a high risk of privilege escalation, lateral movement, and data exfiltration.

Threat Overview

SonicWall has issued an urgent advisory following a marked increase in cyberattacks against its Generation 7 firewalls with SSLVPN functionality, reported over a concentrated 72-hour period. The company is investigating a possible zero-day vulnerability, as multiple cybersecurity firms, including Arctic Wolf and Huntress, have identified that these attacks may involve the Akira ransomware, capable of bypassing multi-factor authentication (MFA). 'The initial access methods have not yet been confirmed in this campaign,' Arctic Wolf researchers stated, emphasizing the potential for various credential access techniques. SonicWall has advised customers to disable SSLVPN services immediately to mitigate the risk of exploitation. The incidents are concerning given that they have been reported even on fully updated firewall devices with MFA enabled, suggesting sophisticated attack methodologies. SonicWall is working closely with prominent threat research organizations to ascertain the nature of the attacks and whether they are linked to previously disclosed vulnerabilities. The collaboration with firms such as Google Mandiant and Huntress is crucial in assessing the severity and scope of the incidents. SonicWall has reported that the attacks involve post-exploitation activities such as privilege escalation, lateral movement, and data exfiltration, with the Akira ransomware being deployed in several instances. The cybersecurity community is on high alert, with Huntress confirming the exploitation of a likely zero-day vulnerability in SonicWall VPNs. 'We're seeing threat actors pivot directly to domain controllers within hours of the initial breach,' a Huntress representative indicated. To counteract the rising threat, SonicWall has recommended limiting SSLVPN connectivity to trusted IPs, enabling security services like botnet protection, and removing inactive user accounts. As the investigation continues, SonicWall pledges to release any necessary security updates as quickly as possible. The situation remains dynamic, and administrators are urged to remain vigilant and proactive in their security measures.

Tactics, Techniques & Procedures (TTPs)

T1190

Exploit Public-Facing Application - Attackers exploit the SSLVPN functionality of SonicWall Gen 7 firewalls to gain unauthorized access [3][6].

T1078

Valid Accounts - Credential access methods such as brute force and credential stuffing are likely utilized to bypass security measures [3][5].

T1557

Adversary-in-the-Middle - Exploitation techniques may include intercepting credentials during the initial access phase [4][5].

T1566.002

Spearphishing Link - Phishing attacks may be employed to gain initial access to the firewall systems [2][4].

T1059.007

JavaScript/JScript - Ransomware deployment involves executing scripts that facilitate lateral movement and privilege escalation [1][5].

T1046

Network Service Scanning - Attackers may scan for vulnerable SSLVPN services across various organizations [2][4].

T1071.001

Application Layer Protocol: Web Protocols - Use of web protocols to communicate with command and control (C2) servers for data exfiltration [6][7].

Timeline of Events

2025-07-15

Arctic Wolf Labs begins observing multiple Akira ransomware attacks targeting SonicWall Gen 7 firewalls with SSLVPN enabled [3][5].

2025-08-04

SonicWall issues an urgent advisory regarding the surge in attacks [1][8].

2025-08-04

Huntress confirms the exploitation of a likely zero-day vulnerability in SonicWall VPNs [6][10].

2025-08-05

SonicWall urges administrators to disable SSLVPN services and implement security measures [3][4].

2025-08-05

SonicWall collaborates with Arctic Wolf, Google Mandiant, and Huntress to assess the nature of the attacks [4][5].

Ongoing

Investigations continue as SonicWall monitors attack patterns and potential vulnerabilities [5][6].

Source Citations

expert_quotes: {'Huntress': 'Article 6', 'Arctic Wolf Labs': 'Article 3', 'SonicWall spokesperson': 'Article 7'}

primary_findings: {'Ransomware deployment details': 'Articles 2, 5', 'SonicWall advisory on attacks': 'Articles 1, 8', 'Vulnerability exploitation confirmation': 'Articles 3, 6'}

technical_details: {'Attack methods and vectors': 'Articles 4, 7', 'Post-exploitation activities': 'Articles 1, 3'}

Generated 1 hour ago

Recent Analysis

AI analysis may contain inaccuracies

10 articles

SonicWall investigates possible zero-day amid Akira ransomware surge

Security Affairs • 7 hours ago

SonicWall probes possible new zero-day after spike in Akira ransomware attacks on Gen 7 firewalls with SSLVPN enabled. SonicWall is investigating a potential new zero-day after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company is working to determine if the incidents stem from an existing flaw or a […]

Score

100.0% similarity

SonicWall Alerts on Surge of Attacks Against Gen 7 Firewalls Over Past 72 Hours

GB Hackers • 4 hours ago

SonicWall Alerts on Surge of Attacks Against Gen 7 Firewalls Over Past 72 Hours SonicWall has issued an urgent security advisory following a significant escalation in cyberattacks targeting Generation 7 firewalls with enabled SSLVPN functionality over the past three days. The cybersecurity company is actively investigating whether these incidents stem from a previously disclosed vulnerability or represent a new security threat, working closely with prominent threat research organizations includi

Score

100.0% similarity

SonicWall Hunts for Zero-Day Amid Surge in Firewall Exploitation

SecurityWeek • 9 hours ago

Threat actors might be exploiting a zero-day vulnerability in SonicWall firewalls in a fresh wave of ransomware attacks.

Score

100.0% similarity

CC-4686 - Active Exploitation of Gen 7 SonicWall Firewalls with SSL VPN Enabled

NHS Digital Cyber Alerts • 6 hours ago

Active Exploitation of Gen 7 SonicWall Firewalls with SSL VPN Enabled SonicWall has released a security notice regarding recent reported cyber incidents involving SonicWall Gen 7 Firewalls Summary SonicWall has released a security notice regarding recent reported cyber incidents involving SonicWall Gen 7 Firewalls Affected platforms The following platforms are known to be affected: SonicWall Gen 7 Generation Firewall (NGFW) Gen 7 SonicWall firewalls where SSL VPN is enabled Threat details Securi

Score

100.0% similarity

SonicWall urges admins to disable SSLVPN amid rising attacks

BleepingComputer • 5 hours ago

SonicWall urges admins to disable SSLVPN amid rising attacks Sergiu Gatlan August 5, 2025 07:28 AM 0 SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks. The warning comes after Arctic Wolf Labsreported on Fridaythat it had observed multiple Akira ransomware attacks, likely using a SonicWall zero-day vulnerability, since July 15th. "The in

Score

100.0% similarity

SonicWall Warns of Escalating Cyberattacks Targeting Gen 7 Firewalls in Last 72 Hours

Cybersecurity News • 4 hours ago

SonicWall has issued an urgent security advisory following a significant increase in cyber incidents targeting its Gen 7 SonicWall firewalls over the past 72 hours. The company is actively investigating a wave of attacks that appear to be focused on devices where the Secure Sockets Layer Virtual Private Network (SSLVPN) feature is enabled. In a […]

Score

100.0% similarity

SonicWall investigates 'cyber incidents,' including ransomware targeting suspected 0-day

Theregister • 19 hours ago

Cyber-crime SonicWall investigates 'cyber incidents,' including ransomware targeting suspected 0-day Bypassing MFA and deploying ransomware…sounds like something that rhymes with 'schmero-day' SonicWall on Monday confirmed that it's investigating a rash of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs. "SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 f

Score

95.0% similarity

SonicWall VPNs Actively Exploited for 0-Day Vulnerability to Bypass MFA and Deploy Ransomware

Cybersecurity News • 1 day ago

A likely zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) VPNs and firewall appliances is being actively exploited in the wild, enabling attackers to bypass multi-factor authentication (MFA) and deploy ransomware within hours of the initial breach. Security firms, including Huntress, Arctic Wolf, and Sophos, have reported a recent surge in high-severity incidents targeting these […]

Score

95.0% similarity

SonicWall urges customers to take VPN devices offline after ransomware campaign

Therecord • 21 hours ago

Multiple cybersecurity incident response firms are warning the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.

Score

92.0% similarity

Active Exploitation of SonicWall VPNs

Huntress • 1 day ago

A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach.

Score

100.0% similarity

MITRE ATT&CK

T1071.001

T1059.007

T1566.002

T1556

T1557

ATTACK TYPES

Credential Access

Credential Harvesting

Phishing

Credential Theft

Exploitation of VPN

SECURITY VENDORS

SonicWall

PLATFORMS

SonicWall Gen 7 Firewalls

SonicWall Gen 7 Firewall

SMA VPNs

COMPANIES

SonicWall

Google Mandiant

Huntress

Arctic Wolf

Google

INDUSTRIES

Cybersecurity

VULNERABILITIES

Authentication Bypass

Zero-Day

RANSOMWARE

Akira

CLUSTER INFORMATION

Cluster #1650

Created 17 hours ago

Semantic Algorithm

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Save to Folder

Cluster Intelligence

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Activity Timeline

Key Insights

Threat Overview

Tactics, Techniques & Procedures (TTPs)

Timeline of Events

Source Citations

Related Articles

Save to Folder

Cluster Intelligence

We use cookies

Cookie Settings

Essential Cookies

Analytics Cookies

Performance Cookies

Marketing Cookies