
Security Intelligence
August 5, 2025 | Security intelligence From the experts
Read our original notice regarding Akira's targeting of SonicWall VPNs here.
On August 4, 2025, SonicWall issued a notice confirming an increase in cybersecurity incidents affecting Gen 7 firewalls with SSL VPN enabled, corroborating our previously reported observations.
The targeting of Gen 7 firewalls is consistent with most of Field Effect’s observations. However, we have one confirmed case involving the Gen 8 SonicWall NSa 3800 running SonicOS 8.0.2. Given we cannot confirm that other models are not impacted, our earlier published guidance remains the same.
Below is an overview of our observations related to this campaign, as well as a summary of threat actor activity and indicators of compromise (IOCs).
On July 22, 2025, Field Effect MDR contained the first incident we've linked to this campaign.
At 14:15 UTC, a threat actor began attempting to authenticate to multiple hosts from an internal IP allocated to the client's VPN, the majority of which failed. That said, the threat actor did successfully authenticate to a Domain Controller, which also provided local file sharing for the network.
A combination of endpoint, network, and account-based analytics resulted in several automatic detections being reported, via ARO, and internally escalated for investigation by our security operations center (SOC). No additional threat actor actions occurred following the authentication, however the activity was clearly abnormal.
At 14:36, our SOC called the associated MSP partner to escalate the response and seek support containing the incident. Through follow-on analysis, it was confirmed the source of the incident was a compromised VPN, a threat vector that has become commonly utilized among actors.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The IOCs observed during this very short event were consistent with other incidents attributed to this campaign.
A week later, on July 29, we contained two nearly identical incidents impacting clients managed by different MSP partners. This was followed by another on July 30. The consistent factor across each event was the threat actor gaining initial network access through a SonicWall SSL VPN.
In the following days, Field Effect MDR responded to a number of additional attacks following the same pattern.
Despite their role in securing remote access, VPNs are increasingly targeted as entry points for cyberattacks. Threat actors are exploiting misconfigured or outdated VPNs to bypass perimeter defenses and gain access to sensitive corporate networks.
The Akira ransomware group, for instance, has demonstrated a growing trend of leveraging unsecured IoT devices and legitimate remote access tools to infiltrate environments where VPNs are assumed to be secure.
This underscores the need for organizations to treat VPNs not as a silver bullet, but as one component of a layered security strategy that also includes regular patching, holistic security monitoring, and identity management.
While credential-based VPN network compromises have become more common, the significant spike in related incidents across clients managed by different MSP partners led us to consider the potential for broad exploitation as the root cause.
Nearly all impacted clients were running SonicOS version 7.2.0-7015, the most recent version at the start of the campaign, and not 7.3.0-7012 which was released on July 29, 2025. Reviewing SonicWall's release notes and associated advisory did not indicate a vulnerability that would provide remote exploitation.
Like most security vendors, Field Effect participates in a variety of private security research groups and forums. On July 30, 2025, we began reaching out through these various channels, sharing what we had been observing and requesting others to share their perspectives.
We had multiple partners reach out for incident response support on August 1, 2025 regarding clients that had been impacted by ransomware. Through initial calls and data collection, it became apparent that these incidents were also related to the same campaign.
On August 2, 2025, we published a blog on our observations and, through the external threat scanning included with Field Effect MDR, created an ARO (see below) for hundreds of clients with a public-facing SonicWall VPN recommending immediate action.
Image 1: A screenshot of the ARO generated for impacted Field Effect MDR clients.
The Field Effect MDR security intelligence team continues to work collaboratively with both peers investigating this campaign and SonicWall as we aim to confirm its root cause.
We continue to recommend organizations using SonicWall SSL VPN appliances take the following precautionary steps:
TTP name | Description |
Initial access |
|
Discovery |
|
Lateral movement |
|
Command and control |
|
Collection |
|
Exfiltration |
|
Impact |
|
The following IOCs have been compiled through a combination of Field Effect MDR and our Incident Response services. We will update this list as we uncover additional information.
TTP name | Description |
Initial access (infrastructure used by the attacker) |
|
Collection |
|
Data exfiltration |
|
Command and control |
|
Execution |
|
We are continuing to investigate this activity to determine the root cause. If a zero-day vulnerability is confirmed, we expect SonicWall to issue guidance and patches. In the meantime, proactive isolation and monitoring are the best defenses.
If you believe your organization may have been affected or would like assistance reviewing your environment, please reach out to our team.