Skip Navigation

Update: Akira ransomware group targets SonicWall VPN appliances

Loading table of contents...

Read our original notice regarding Akira's targeting of SonicWall VPNs here.

On August 4, 2025, SonicWall issued a notice confirming an increase in cybersecurity incidents affecting Gen 7 firewalls with SSL VPN enabled, corroborating our previously reported observations.

The targeting of Gen 7 firewalls is consistent with most of Field Effect’s observations. However, we have one confirmed case involving the Gen 8 SonicWall NSa 3800 running SonicOS 8.0.2. Given we cannot confirm that other models are not impacted, our earlier published guidance remains the same.

Below is an overview of our observations related to this campaign, as well as a summary of threat actor activity and indicators of compromise (IOCs).

What we've seen

On July 22, 2025, Field Effect MDR contained the first incident we've linked to this campaign.

At 14:15 UTC, a threat actor began attempting to authenticate to multiple hosts from an internal IP allocated to the client's VPN, the majority of which failed. That said, the threat actor did successfully authenticate to a Domain Controller, which also provided local file sharing for the network.

A combination of endpoint, network, and account-based analytics resulted in several automatic detections being reported, via ARO, and internally escalated for investigation by our security operations center (SOC). No additional threat actor actions occurred following the authentication, however the activity was clearly abnormal.

At 14:36, our SOC called the associated MSP partner to escalate the response and seek support containing the incident. Through follow-on analysis, it was confirmed the source of the incident was a compromised VPN, a threat vector that has become commonly utilized among actors.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The IOCs observed during this very short event were consistent with other incidents attributed to this campaign.

A week later, on July 29, we contained two nearly identical incidents impacting clients managed by different MSP partners. This was followed by another on July 30. The consistent factor across each event was the threat actor gaining initial network access through a SonicWall SSL VPN.

In the following days, Field Effect MDR responded to a number of additional attacks following the same pattern.

Weak VPNs are the new exposed RDP

Despite their role in securing remote access, VPNs are increasingly targeted as entry points for cyberattacks. Threat actors are exploiting misconfigured or outdated VPNs to bypass perimeter defenses and gain access to sensitive corporate networks.

The Akira ransomware group, for instance, has demonstrated a growing trend of leveraging unsecured IoT devices and legitimate remote access tools to infiltrate environments where VPNs are assumed to be secure.

This underscores the need for organizations to treat VPNs not as a silver bullet, but as one component of a layered security strategy that also includes regular patching, holistic security monitoring, and identity management.

How we’ve responded

While credential-based VPN network compromises have become more common, the significant spike in related incidents across clients managed by different MSP partners led us to consider the potential for broad exploitation as the root cause.

Nearly all impacted clients were running SonicOS version 7.2.0-7015, the most recent version at the start of the campaign, and not 7.3.0-7012 which was released on July 29, 2025. Reviewing SonicWall's release notes and associated advisory did not indicate a vulnerability that would provide remote exploitation.

There were three primary scenarios we considered as possibilities for these events:
  1. A patched vulnerability is more serious than originally believed, and is being actively exploited remotely by threat actors to dump credentials. The only vulnerability noted as fixed in SonicOS 7.3.0-7012 was related to CVE-2025-40600, characterized by SonicWall as a denial of service with a CVSS v3 score of 5.9. However, the National Vulnerability Database listed CVE-2025-40600 as Critical with a CVSS v3 score of 9.8, suggesting it is more serious.
  2. Threat actors had previously exploited unpatched devices to dump credentials and are only now utilizing those to gain network access.
  3. There is a yet-to-be identified vulnerability in the SonicWall SSL VPN which is being actively exploited by threat actors to dump credentials. 

Like most security vendors, Field Effect participates in a variety of private security research groups and forums. On July 30, 2025, we began reaching out through these various channels, sharing what we had been observing and requesting others to share their perspectives.

We had multiple partners reach out for incident response support on August 1, 2025 regarding clients that had been impacted by ransomware. Through initial calls and data collection, it became apparent that these incidents were also related to the same campaign.

On August 2, 2025, we published a blog on our observations and, through the external threat scanning included with Field Effect MDR, created an ARO (see below) for hundreds of clients with a public-facing SonicWall VPN recommending immediate action.

ARO-SonicWall VPN

Image 1: A screenshot of the ARO generated for impacted Field Effect MDR clients.

Our recommendations

The Field Effect MDR security intelligence team continues to work collaboratively with both peers investigating this campaign and SonicWall as we aim to confirm its root cause.  

We continue to recommend organizations using SonicWall SSL VPN appliances take the following precautionary steps:

  • Disable SonicWall SSL VPN services immediately if possible. If the SSL VPN is necessary for business purposes, we recommend limiting access to the service to known user IP addresses. Field Effect MDR clients can retrieve a list of all public IP addresses associated with their endpoint agents through their dashboard.
  • For clients with a Field Effect network appliance, forward SonicWall VPN logs to your appliance for analysis.
  • Block the reported network IOCs through your firewall. If Cloudflare storage is not required within your network, consider blocking the cloudflarestorage.com domain via the Field Effect DNS firewall.
  • Review authentication logs for unusual access patterns, especially successful logins from unexpected ISPs or locations.
  • Implement multi-factor authentication (MFA) across all remote access systems.
  • Monitor SonicWall notices and advisories for updates to guidance or mitigations steps. 

Campaign TTPs

TTP name Description

Initial access

  • In all cases, the initial access has been to authenticate via the SonicWall appliance, via SSL VPN. At this time, we are unable to confirm the method the attacker used to obtain the credentials.

Discovery

  • T1046 – Network Service Discovery. Active scanning from tools such as ‘Advanced IP Scanner’, ‘netscan’, etc.
  • T1482 – Domain Trust Discovery. ‘nltest’ was used in almost all cases on a Domain Controller.
  • T1087 – Account Discovery. The attacker looked to identify unsecured credentials in documentation on network shares.

Lateral movement

  • T1021.001 – Remote Desktop Protocol (RDP). In almost all cases, the first host that the attacker connected to was a Domain Controller. Often, the RDP connection was direct from the attacker infrastructure, but in some cases internal hosts were used as jump boxes.

Command and control

  • T1572 – Protocol Tunneling. A backdoor communications method was installed by using a Cloudflare Tunnel.

Collection

  • T1560.001 – Archive Collected Data: Archive via Utility. WinRar.exe was used to collect files by the attacker prior to attempted exfiltration.

Exfiltration

  • T1048 – Exfiltration Over Alternative Protocol. The attacker was observed attempting to use SCP (Secure Copy Protocol) to exfiltrate data via port 22.

Impact

  • T1486 – Data Encrypted for Impact. Ransomware was deployed.
  • T1490 – Inhibit System Recovery. System Volume Shadow Service (VSS) copies were deleted to hamper recovery efforts.

Indicators of compromise (IOCs)

The following IOCs have been compiled through a combination of Field Effect MDR and our Incident Response services. We will update this list as we uncover additional information.

TTP name Description

Initial access (infrastructure used by the attacker)

  • ASN 23480 - ReliableSite.Net LLC
  • ASN 62240 - Clouvider
  • ASN 29802 - Hivelocity, Inc.
  • ASN 62904 – Eonix Corporation
  • 104.238.220[.]216 – ReliableSite.Net LLC LLC)
  • 193.163.194[.]7 - Clouvider Limited
  • 162.213.194[.]186 – Hivelocity, Inc.
  • 107.158.128[.]106 - Eonix Corporation
  • Advanced_IP_Scanner_2.5.4594.1.exe / 86233a285363c2a6863bf642deab7e20f062b8eb
  • Advanced_Port_Scanner_2.5.3869.exe / 3477a173e2c1005a81d042802ab0f22cc12a4d55
  • n.exe (renamed netscan.exe) / d26aabe9d0c17d8db032124b221f48c15e85ee23
  • netscan.exe / fe6362cbacd2ec186d24b3523718baf56667d7ce
  • netscan_n.exe / d26aabe9d0c17d8db032124b221f48c15e85ee23

Collection

  • rclone.exe / b5c8db9a6c645469bcf4582dfd7f66050206579f
  • winrar-x64-713.exe / 095036f9669230cb69b42eb5e6d91fdbe46ab61e

Data exfiltration

  • ASN 29802 – Hivelocity, Inc.
  • 66.165.243[.]39 – Hivelocity, Inc. (Via SSH port 22).
  • limewire-filesharing-production.b61cdfd8cf17f52ddc020162e738eb5d.r2.cloudflarestorage[.]com (Cloudflare R2 Object Storage)
  • WinSCP.exe / f73607b630548d2bbf23c02a43dd9e2117719caa

Command and control

  • cloudflared.exe.exe / 2435920542516c0969c32b6792ca1455a602dcc4
    • Partial redaction: eyJhIjoiY2ZkNzlkNDEyYWFh**REDACTED**TVdZeE1USTJaR1E0WlRsaiJ9
    • SHA1 hashed: f8433741133d8fa340051dfded806eb049584c0dCloudflare Tunnel Token

Execution

  • akira.exe / 18300f03e2bf6d7a9f1e393316f71b6c2846e910
  • w.exe (renamed akira.exe) / 18300f03e2bf6d7a9f1e393316f71b6c2846e910 

What’s next

We are continuing to investigate this activity to determine the root cause. If a zero-day vulnerability is confirmed, we expect SonicWall to issue guidance and patches. In the meantime, proactive isolation and monitoring are the best defenses.

If you believe your organization may have been affected or would like assistance reviewing your environment, please reach out to our team.