Overview

• SonicWall confirmed a surge in cyber incidents affecting Gen 7 firewalls with SSL VPN enabled and enlisted Arctic Wolf, Google Mandiant, and Huntress to investigate a potential zero-day exploit.
• Huntress has tracked more than 20 Akira ransomware intrusions since late July, noting that attackers breached fully patched devices despite enforced multi-factor authentication.
• Upon gaining VPN access, threat actors pivot directly to domain controllers within hours, disabling Microsoft Defender Antivirus and deleting volume shadow copies ahead of encryption.
• Researchers believe the flaw exists in firmware versions 7.2.0-7015 and earlier on SonicWall TZ and NSa series appliances, with malicious logins often originating from VPS-hosted IP addresses.
• Organizations are advised to disable SSL VPN services where feasible, enforce strong MFA, remove inactive user accounts, and enable botnet protection and Geo-IP filters until a security update is available.