October 2025 Threat Report: Barracuda SOC Insights

Recent analysis from Barracuda’s security operations reveals several emerging threats that organizations must address immediately. Their managed detection and response teams have documented a significant uptick in specific attack methods, including sophisticated ransomware campaigns, stealthy scripting attacks, and unauthorized access to cloud productivity platforms.

A notable surge in Akira ransomware attacks is currently targeting vulnerable SonicWall VPN appliances. Barracuda initially alerted customers to this danger in August, and the threat has only intensified since then. Attackers are exploiting a known vulnerability, CVE-2024-40766, for which a patch has been available for nearly a year. The attacks succeed because many organizations have failed to apply the update. Furthermore, cybercriminals are using credentials stolen prior to the patch’s release to intercept one-time passwords, allowing them to generate valid login tokens. This technique effectively bypasses multi-factor authentication, even on systems that are otherwise up to date.

The Akira group operates with alarming speed, moving from initial infection to full data encryption in a very short time frame. They have also been observed using legitimate remote monitoring and management software to hide their activities, disable security tools, and cripple backup systems to prevent any possibility of recovery.

Your organization could be vulnerable if you have not applied the relevant security patch or reset all credentials afterward. The presence of old, unused, or unmonitored service accounts with high-level access and infrequently changed passwords also presents a serious risk.

To safeguard your network, it is critical to use a vulnerability scanning tool to identify any unpatched SonicWall VPNs. Apply the security patch immediately and reset all VPN credentials. Upgrading to SonicOS firmware version 7.3.0 or later is highly recommended, as it includes enhanced protective features. Conduct a thorough audit to find and remove any legacy or unused accounts, and ensure you rotate passwords for all local and service accounts. Restricting VPN access to trusted IP addresses and blocking login attempts from unfamiliar countries or hosting providers adds another vital layer of defense. If you suspect your credentials or one-time passwords have been exposed, act quickly by resetting all passwords, implementing phishing-resistant MFA such as FIDO2 security keys, and scrutinizing VPN logs for any anomalous activity.

Security experts are also reporting an increase in hacking tools being deployed via Python scripts. Attackers are leveraging these scripts to run programs like the Mimikatz password stealer, PowerShell, and various credential-stuffing automation tools. Using Python provides a dual advantage for threat actors: it helps disguise malicious executions within seemingly legitimate processes to avoid raising alarms, and it automates attacks to increase their speed and scale. This automation reduces the need for manual input that might trigger security alerts and allows for multiple simultaneous operations, such as scanning for weaknesses while exfiltrating sensitive data.

Your defenses may be insufficient if you lack integrated detection systems capable of identifying these script-based threats, run outdated software, or have weak password and MFA policies. A workforce that does not receive regular cybersecurity awareness training is also a significant liability.

Protecting against these automated threats requires installing advanced endpoint protection designed to detect Python-based malware. Consistently patching known vulnerabilities and updating all software is non-negotiable. Limiting user access rights and providing ongoing employee training on the latest threats and reporting procedures are essential steps to strengthen your security posture.

Finally, Barracuda has observed a sharp rise in suspicious login activity targeting Microsoft 365 accounts. These logins deviate from a user’s typical behavior, originating from unexpected locations, devices, or at unusual times, which often indicates that an attacker has compromised the account credentials. The popularity of Microsoft 365’s integrated application suite makes it a prime target for cybercriminals.

A compromised account offers attackers a wealth of opportunities. They can sell confirmed access to other criminals, use it to move laterally through the network, and steal sensitive emails, files, and data for extortion or impersonation attacks. It also provides a reliable channel for delivering additional malicious payloads.

You may be at risk if your organization publicly lists the names and contact details of key personnel like executives and IT staff. Not enforcing a strong, consistent password policy combined with MFA for all users is a major security gap. Observing unusual logins from unfamiliar countries or devices is a clear red flag, as is failing to provide regular security training for employees.

To defend your Microsoft 365 environment, ensure that strong password policies and MFA are universally enabled. Implement security measures that monitor for and alert on anomalous login behavior. Regularly train your staff to recognize and report phishing attempts and other suspicious activities. Proactively managing user privileges and conducting frequent access reviews can significantly reduce your attack surface.

(Source: ITWire Australia)