- Since mid -July 2025, there has been an increase in the late session late
- Researchers speculate that criminals found a day zero
- Users are recommended to strengthen their cybersecurity position
There is a possibility that Sonicwall SSL VPN devices have a zero day vulnerability that Akira’s cybercriminals discovered, and are now using in nature.
In mid -July of this year, cybersecurity researchers Arctic Wolf Labs observed an increase in the malicious session, all through Sonicwall SSL VPN instances. Since some of the final points were completely paved at the time of intrusion, researchers speculate that they could contain a zero day defect.
However, they have not ruled out the possibility that the attackers have just obtained a set of active login credentials from somewhere and use them to get access.
In the FBI radar
In any case, organizations that suffered these malicious session were also infected with Akira ransomware shortly after.
“A short interval was observed between the initial access of the VPN SSL account and ransomware encryption,” the researchers explained. “In contrast to the legitimate VPN session logo that generally originates from networks operated by broadband internet service providers, ransomware groups often use the housing of virtual private servers for the authentication of VPN in compromised environments.”
Until Sonicwall presents a patch, or at least one explanation, it is recommended to companies that use these VPNs that impose the authentication of multifactor factors (MFA), eliminate inactive and unused firewall accounts, and make sure their passwords are fresh, strong and unique.
Akira is a ransomware strain that first appeared in March 2023, aimed at companies in several sectors. It is known for obtaining the initial support point through compromised VPN credentials and exposed services.
The group is aimed at the Windows and Linux systems, and is known for dismantling backup copies to hinder recovery. In mid -2015, Akira has been responsible for attacks against hundreds of organizations worldwide, including Stanford University, Nissan Australia and Moestoevry. The group usually directs its victims to contact them through a website based on Tor.
The FBI and the CISA have issued warnings about their activity, urging organizations to implement stronger network defenses and multifactorial authentication.
Through The hacker news
