Particle.news

Download on the App Store

SonicWall Investigates SSL VPN Zero-Day After Surge in Akira Ransomware Attacks

A coordinated investigation with leading threat researchers seeks to confirm the exploit before critical firmware patches roll out.

SonicWall
yellow padlocks patterned on a red background
SonicWall zero-day
Image

Overview

  • Security firms have observed intrusions on Gen 7 SonicWall SSL VPNs since mid-July that bypass MFA and credential rotation, suggesting a likely zero-day vulnerability.
  • Huntress analysts identified over 20 attacks from July 25 featuring rapid pivots to domain controllers and deployment of the OVERSTEP rootkit ahead of ransomware encryption.
  • Google Threat Intelligence Group assessed moderate confidence that UNC6148 affiliates exploited an unknown flaw to install a persistent backdoor on fully patched SMA appliances.
  • SonicWall has recommended that customers disable SSL VPN services when possible, restrict connections to trusted IPs, enforce multi-factor authentication and enable security features such as botnet protection.
  • The vendor is working with Arctic Wolf Labs, GTIG and Huntress to determine if the incidents stem from a known flaw or a new zero-day before rolling out firmware updates.