- From mid-July 2025, there was an increase in malicious connections
- Researchers speculate criminals have one day found zero
- Users are advised to strengthen their cybersecurity posture
There is a chance that VPN SSL Sonicwall devices have a zero vulnerability that Akira cybercriminals have discovered, and now use in nature.
In mid-July this year, Cybersecurity Researchers Arctic Wolf Labs observed an increase in malicious connections, all came by VPN SSL SSL. Since some of the termination criteria were fully corrected at the time of intrusion, researchers speculate that they could contain a zero-day defect.
However, they did not exclude the possibility that the attackers have just obtained an active connection identification set somewhere and used them to access.
On the FBI radar
In all cases, organizations that have undergone these malicious connections were also infected with Akira ransomware shortly after.
“A short interval was observed between the initial access to the SSL VPN account and the encryption of ransomware,” said the researchers. “Unlike legitimate VPN connections which generally come from networks operated by large -band Internet service providers, ransomware groups often use accommodation for virtual private servers for VPN authentication in compromise environments.”
Until Sonicwall presents itself with a corrective, or at least an explanation, companies using these VPNs are invited to apply multi-factor authentication (MFA), to delete inactive and unused firewall accounts, and make sure that their passwords are fresh, solid and unique.
Akira is a ransomware strain which appeared for the first time in March 2023, targeting companies in various sectors. It is known to have obtained the initial foot thanks to compromised VPN identification information and exposed services.
The group targets both Windows and Linux Systems and is known to dismantle backups to hinder recovery. In mid-2025, Akira was responsible for attacks on hundreds of organizations around the world, including the University of Stanford, Nissan Australia and Tietoevry. The group usually orders its victims to contact them via a wrongly based website.
The FBI and the CISA have issued warnings on its activity, urging organizations to implement stronger network defenses and multifactorial authentication.
Via The Hacker News
