Update: Akira ransomware group targets SonicWall VPN appliances

August 7 update:

Field Effect continues to investigate a coordinated campaign by the Akira ransomware group targeting SonicWall SSL VPN appliances.

Our analysis, in collaboration with industry peers and SonicWall, suggests that attackers may be leveraging credentials and configurations obtained during earlier compromises, likely through a now-patched vulnerability, to gain access across multiple environments.

We believe the attacker previously compromised these devices, and although they have since been patched, the threat actor is now using the previously obtained credentials to launch a broader campaign.

In many environments, user account credentials are not changed regularly, and highly privileged service accounts used for authentication (such as LDAP bind accounts) are rarely rotated, if ever.

In all incidents analyzed by Field Effect, we believe the SonicWall deployments had been long-standing. This includes cases where hardware had been upgraded, but configurations and credentials had been migrated from older systems. This reuse of legacy credentials and configurations may be contributing to the continued success of the attacker’s efforts.

While it remains possible that a new vulnerability exists in the SonicWall SSL VPN, no direct evidence has been observed by the broader security community or the vendor.

If you are aware of an incident involving a recent SonicWall adopter, please contact Field Effect at forensics@fieldeffect.com.

SonicWall has now updated their official guidance.

Field Effect continues to recommend a cautious approach to restoring remote access via SonicWall SSL VPN. Our recommendations include:

• Updating to the latest SonicOS firmware supported by your device.
• Reviewing all local user accounts to remove legacy or unused accounts and reset credentials for all others.
• Resetting credentials for any privileged service accounts, such as LDAP bind accounts.
• Restricting LDAP bind account permissions to only those necessary for authentication. This account does not require administrative privileges.
• Using a unique, dedicated LDAP account for each SonicWall integration.

Field Effect will continue to monitor this campaign and provide updates as new information becomes available.

Original post:

On August 4, 2025, SonicWall issued a notice confirming an increase in cybersecurity incidents affecting Gen 7 firewalls with SSL VPN enabled, corroborating our previously reported observations (read our original notice regarding Akira's targeting of SonicWall VPNs here.)

The targeting of Gen 7 firewalls is consistent with most of Field Effect’s observations. However, we have one confirmed case involving the Gen 8 SonicWall NSa 3800 running SonicOS 8.0.2. Given we cannot confirm that other models are not impacted, our earlier published guidance remains the same.

Below is an overview of our observations related to this campaign, as well as a summary of threat actor activity and indicators of compromise (IOCs).

What we've seen

On July 22, 2025, Field Effect MDR contained the first incident we've linked to this campaign.

At 14:15 UTC, a threat actor began attempting to authenticate to multiple hosts from an internal IP allocated to the client's VPN, the majority of which failed. That said, the threat actor did successfully authenticate to a Domain Controller, which also provided local file sharing for the network.

A combination of endpoint, network, and account-based analytics resulted in several automatic detections being reported, via ARO, and internally escalated for investigation by our security operations center (SOC). No additional threat actor actions occurred following the authentication, however the activity was clearly abnormal.

At 14:36, our SOC called the associated MSP partner to escalate the response and seek support containing the incident. Through follow-on analysis, it was confirmed the source of the incident was a compromised VPN, a threat vector that has become commonly utilized among actors.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The IOCs observed during this very short event were consistent with other incidents attributed to this campaign.

A week later, on July 29, we contained two nearly identical incidents impacting clients managed by different MSP partners. This was followed by another on July 30. The consistent factor across each event was the threat actor gaining initial network access through a SonicWall SSL VPN.

In the following days, Field Effect MDR responded to a number of additional attacks following the same pattern.

Weak VPNs are the new exposed RDP

Despite their role in securing remote access, VPNs are increasingly targeted as entry points for cyberattacks. Threat actors are exploiting misconfigured or outdated VPNs to bypass perimeter defenses and gain access to sensitive corporate networks.

The Akira ransomware group, for instance, has demonstrated a growing trend of leveraging unsecured IoT devices and legitimate remote access tools to infiltrate environments where VPNs are assumed to be secure.

This underscores the need for organizations to treat VPNs not as a silver bullet, but as one component of a layered security strategy that also includes regular patching, holistic security monitoring, and identity management.

How we’ve responded

While credential-based VPN network compromises have become more common, the significant spike in related incidents across clients managed by different MSP partners led us to consider the potential for broad exploitation as the root cause.

Nearly all impacted clients were running SonicOS version 7.2.0-7015, the most recent version at the start of the campaign, and not 7.3.0-7012 which was released on July 29, 2025. Reviewing SonicWall's release notes and associated advisory did not indicate a vulnerability that would provide remote exploitation.

There were three primary scenarios we considered as possibilities for these events:

1. A patched vulnerability is more serious than originally believed, and is being actively exploited remotely by threat actors to dump credentials. The only vulnerability noted as fixed in SonicOS 7.3.0-7012 was related to CVE-2025-40600, characterized by SonicWall as a denial of service with a CVSS v3 score of 5.9. However, the National Vulnerability Database listed CVE-2025-40600 as Critical with a CVSS v3 score of 9.8, suggesting it is more serious.
2. Threat actors had previously exploited unpatched devices to dump credentials and are only now utilizing those to gain network access.
3. There is a yet-to-be identified vulnerability in the SonicWall SSL VPN which is being actively exploited by threat actors to dump credentials. 

Like most security vendors, Field Effect participates in a variety of private security research groups and forums. On July 30, 2025, we began reaching out through these various channels, sharing what we had been observing and requesting others to share their perspectives.

We had multiple partners reach out for incident response support on August 1, 2025 regarding clients that had been impacted by ransomware. Through initial calls and data collection, it became apparent that these incidents were also related to the same campaign.

On August 2, 2025, we published a blog on our observations and, through the external threat scanning included with Field Effect MDR, created an ARO (see below) for hundreds of clients with a public-facing SonicWall VPN recommending immediate action.

Image 1: A screenshot of the ARO generated for impacted Field Effect MDR clients.

Our recommendations

The Field Effect MDR security intelligence team continues to work collaboratively with both peers investigating this campaign and SonicWall as we aim to confirm its root cause.  

We continue to recommend organizations using SonicWall SSL VPN appliances take the following precautionary steps:

• Disable SonicWall SSL VPN services immediately if possible. If the SSL VPN is necessary for business purposes, we recommend limiting access to the service to known user IP addresses. Field Effect MDR clients can retrieve a list of all public IP addresses associated with their endpoint agents through their dashboard.
• For clients with a Field Effect network appliance, forward SonicWall VPN logs to your appliance for analysis.
• Block the reported network IOCs through your firewall. If Cloudflare storage is not required within your network, consider blocking the cloudflarestorage.com domain via the Field Effect DNS firewall.
• Review authentication logs for unusual access patterns, especially successful logins from unexpected ISPs or locations.
• Implement multi-factor authentication (MFA) across all remote access systems.
• Monitor SonicWall notices and advisories for updates to guidance or mitigations steps. 

Campaign TTPs

Indicators of compromise (IOCs)

The following IOCs have been compiled through a combination of Field Effect MDR and our Incident Response services. We will update this list as we uncover additional information.

What’s next

We are continuing to investigate this activity to determine the root cause. If a zero-day vulnerability is confirmed, we expect SonicWall to issue guidance and patches. In the meantime, proactive isolation and monitoring are the best defenses.

If you believe your organization may have been affected or would like assistance reviewing your environment, please reach out to our team.