SonicWall VPNs Under Attack by Rising Akira Ransomware Threat
▼ Summary
– Security experts warn of a possible zero-day vulnerability in SonicWall SSL VPNs after observing a surge in ransomware attacks targeting these devices.
– Arctic Wolf reported multiple pre-ransomware intrusions in late July, with evidence suggesting a zero-day vulnerability despite patched devices and MFA.
– Threat actors gained VPN access through SonicWall SSL VPNs, followed by rapid ransomware encryption, often using Virtual Private Server hosting for authentication.
– Arctic Wolf recommends actions like disabling the service until patched, enabling log monitoring, enforcing MFA, and blocking suspicious hosting-related ASNs.
– SonicWall is investigating the incidents, collaborating with third-party researchers to determine if it involves a known or zero-day vulnerability.
Security researchers have identified a concerning spike in ransomware attacks exploiting SonicWall SSL VPNs, with evidence suggesting a potential zero-day vulnerability may be at play. The incidents, tracked since mid-July, involve threat actors gaining unauthorized access through VPN portals, even on fully patched systems with multi-factor authentication enabled.
Arctic Wolf’s threat intelligence team reported observing multiple pre-ransomware intrusions linked to SonicWall devices, noting that attackers bypassed security measures like credential rotation and time-based one-time passwords (TOTP). While brute-force attacks haven’t been entirely ruled out, the patterns strongly indicate an unpatched flaw.
Compromised logins often originated from virtual private server (VPS) hosting providers, a tactic commonly used by ransomware groups to mask their activity. Legitimate VPN access, by contrast, typically comes from standard ISP networks. The attacks follow a predictable sequence: once inside, adversaries move quickly to deploy ransomware, leaving little time for defenders to react.
To mitigate risks, Arctic Wolf advises organizations using SonicWall SSL VPNs to take immediate action: Temporarily disable the service if operational impact allows, pending a patch. Edge devices like VPNs and firewalls remain prime targets for cybercriminals due to their direct internet exposure and access to critical internal systems. Many lack endpoint detection coverage, creating gaps in visibility.
SonicWall confirmed it’s investigating the surge in incidents across its Gen 7 firewall series, collaborating with Arctic Wolf, Mandiant, and Huntress to determine whether the attacks exploit a known weakness or a new, unpatched flaw. The company has yet to release additional guidance but urges customers to monitor official updates closely.
Proactive measures, including network segmentation and rigorous access controls, are critical to limiting exposure while investigations continue. Organizations should prioritize reviewing VPN logs for anomalous activity and prepare incident response plans tailored to ransomware scenarios.
(Source: InfoSecurity)
