Active Exploitation of SonicWall VPNs
Essential information
- Published
- 04/08/2025 15:03
- Modified
- 05/08/2025 15:32
- Tags
- 2025-08-04 akira credential-theft lateral movement mfa bypass ransomware sonicwall vpn zero-day
- Related entities
- 12 observables, 14 techniques (mitre), 1 malware
Description
A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential theft. Attackers quickly gain administrative access, establish command and control, move laterally, disable defenses, and deploy Akira ransomware. The threat actors use a mix of automated scripts and manual activity, abusing privileged accounts and utilizing various tools for persistence and data exfiltration. Immediate action is advised, including disabling SonicWall VPN access or severely restricting it, auditing service accounts, and hunting for malicious activity using provided indicators of compromise.