Security Intelligence
Loading table of contents...
Loading table of contents...
Read our original notice regarding Akira's targeting of SonicWall VPNs here.
On August 4, 2025, SonicWall issued a notice confirming an increase in cybersecurity incidents affecting Gen 7 firewalls with SSL VPN enabled, corroborating our previously reported observations.
The targeting of Gen 7 firewalls is consistent with most of Field Effect’s observations. However, we have one confirmed case involving the Gen 8 SonicWall NSa 3800 running SonicOS 8.0.2. Given we cannot confirm that other models are not impacted, our earlier published guidance remains the same.
Below is an overview of our observations related to this campaign, as well as a summary of threat actor activity and indicators of compromise (IOCs).
What we've seen
On July 22, 2025, Field Effect MDR contained the first incident we've linked to this campaign.
At 14:15 UTC, a threat actor began attempting to authenticate to multiple hosts from an internal IP allocated to the client's VPN, the majority of which failed. That said, the threat actor did successfully authenticate to a Domain Controller, which also provided local file sharing for the network.
A combination of endpoint, network, and account-based analytics resulted in several automatic detections being reported, via ARO, and internally escalated for investigation by our security operations center (SOC). No additional threat actor actions occurred following the authentication, however the activity was clearly abnormal.
At 14:36, our SOC called the associated MSP partner to escalate the response and seek support containing the incident. Through follow-on analysis, it was confirmed the source of the incident was a compromised VPN, a threat vector that has become commonly utilized among actors.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The IOCs observed during this very short event were consistent with other incidents attributed to this campaign.
A week later, on July 29, we contained two nearly identical incidents impacting clients managed by different MSP partners. This was followed by another on July 30. The consistent factor across each event was the threat actor gaining initial network access through a SonicWall SSL VPN.
In the following days, Field Effect MDR responded to a number of additional attacks following the same pattern.
Weak VPNs are the new exposed RDP
Despite their role in securing remote access, VPNs are increasingly targeted as entry points for cyberattacks. Threat actors are exploiting misconfigured or outdated VPNs to bypass perimeter defenses and gain access to sensitive corporate networks.
The Akira ransomware group, for instance, has demonstrated a growing trend of leveraging unsecured IoT devices and legitimate remote access tools to infiltrate environments where VPNs are assumed to be secure.
This underscores the need for organizations to treat VPNs not as a silver bullet, but as one component of a layered security strategy that also includes regular patching, holistic security monitoring, and identity management.
How we’ve responded
While credential-based VPN network compromises have become more common, the significant spike in related incidents across clients managed by different MSP partners led us to consider the potential for broad exploitation as the root cause.
Nearly all impacted clients were running SonicOS version 7.2.0-7015, the most recent version at the start of the campaign, and not 7.3.0-7012 which was released on July 29, 2025. Reviewing SonicWall's release notes and associated advisory did not indicate a vulnerability that would provide remote exploitation.
There were three primary scenarios we considered as possibilities for these events:
- A patched vulnerability is more serious than originally believed, and is being actively exploited remotely by threat actors to dump credentials. The only vulnerability noted as fixed in SonicOS 7.3.0-7012 was related to CVE-2025-40600, characterized by SonicWall as a denial of service with a CVSS v3 score of 5.9. However, the National Vulnerability Database listed CVE-2025-40600 as Critical with a CVSS v3 score of 9.8, suggesting it is more serious.
- Threat actors had previously exploited unpatched devices to dump credentials and are only now utilizing those to gain network access.
- There is a yet-to-be identified vulnerability in the SonicWall SSL VPN which is being actively exploited by threat actors to dump credentials.
Like most security vendors, Field Effect participates in a variety of private security research groups and forums. On July 30, 2025, we began reaching out through these various channels, sharing what we had been observing and requesting others to share their perspectives.
We had multiple partners reach out for incident response support on August 1, 2025 regarding clients that had been impacted by ransomware. Through initial calls and data collection, it became apparent that these incidents were also related to the same campaign.
On August 2, 2025, we published a blog on our observations and, through the external threat scanning included with Field Effect MDR, created an ARO (see below) for hundreds of clients with a public-facing SonicWall VPN recommending immediate action.
Image 1: A screenshot of the ARO generated for impacted Field Effect MDR clients.
Our recommendations
The Field Effect MDR security intelligence team continues to work collaboratively with both peers investigating this campaign and SonicWall as we aim to confirm its root cause.
We continue to recommend organizations using SonicWall SSL VPN appliances take the following precautionary steps:
- Disable SonicWall SSL VPN services immediately if possible. If the SSL VPN is necessary for business purposes, we recommend limiting access to the service to known user IP addresses. Field Effect MDR clients can retrieve a list of all public IP addresses associated with their endpoint agents through their dashboard.
- For clients with a Field Effect network appliance, forward SonicWall VPN logs to your appliance for analysis.
- Block the reported network IOCs through your firewall. If Cloudflare storage is not required within your network, consider blocking the cloudflarestorage.com domain via the Field Effect DNS firewall.
- Review authentication logs for unusual access patterns, especially successful logins from unexpected ISPs or locations.
- Implement multi-factor authentication (MFA) across all remote access systems.
- Monitor SonicWall notices and advisories for updates to guidance or mitigations steps.
Campaign TTPs
| TTP name | Description |
|
Initial access |
|
|
Discovery |
|
|
Lateral movement |
|
|
Command and control |
|
|
Collection |
|
|
Exfiltration |
|
|
Impact |
|
Indicators of compromise (IOCs)
The following IOCs have been compiled through a combination of Field Effect MDR and our Incident Response services. We will update this list as we uncover additional information.
| TTP name | Description |
|
Initial access (infrastructure used by the attacker) |
|
|
Collection |
|
|
Data exfiltration |
|
|
Command and control |
|
|
Execution |
|
What’s next
We are continuing to investigate this activity to determine the root cause. If a zero-day vulnerability is confirmed, we expect SonicWall to issue guidance and patches. In the meantime, proactive isolation and monitoring are the best defenses.
If you believe your organization may have been affected or would like assistance reviewing your environment, please reach out to our team.
