Source: www.techrepublic.com – Author: Megan Crouse
Published
SonicWall identified under 40 security incidents and determined the access control problem was related to a vulnerability published last year.
Cybersecurity platform company SonicWall has identified the origins of a wave of cyberattacks targeting its Gen 7 firewalls with SSLVPN enabled. As of Aug. 12, the company said it has worked with external threat research teams and released firmware updates.
Security research teams from Arctic Wolf, Google Mandiant, and Huntress have documented the suspicious activity, which was first detected on or around July 15.
SonicWall recommends updating SSLVPN
In early August, SonicWall recommended that customers using the Gen 7 SonicWall firewalls with SSLVPN disable the VPNs and take other precautions. As of Aug. 12, firmware update version 7.3.0 adds enhanced protections against brute force attacks and additional MFA controls to fix the problem. SonicWall now recommends users of Gen 7 and newer firewalls with SSLVPN to take the following steps:
- Install firmware version 7.3.0.
- Reset all local user account passwords.
- Enable security features such as Botnet Protection and Geo-IP Filtering.
- Implement multi-factor authentication.
- Remove unused or inactive user accounts.
Some of the intrusions bypassed MFA, Huntress noted on Aug. 8. Threat actors used over-privileged LDAP or service accounts to gain administrative control. From there, they could move laterally through the network, disable security tools, and deploy ransomware.
Huntress began tracking attacks on July 25 and continues to monitor the activity.
As of Aug. 12, SonicWall had identified the attacks as causing fewer than 40 security incidents. In many cases, the affected accounts were being migrated from Gen 6 to Gen 7 firewalls, and local user passwords were not reset during that process.
SonicWall identified the attacks as being related to CVE-2024-40766, an improper access control vulnerability first identified in August 2024.
Rise in Akira ransomware tied to VPN exploitation
Arctic Wolf Labs reported a notable increase in Akira ransomware activity in July 2025, with SonicWall SSLVPN among the targeted infrastructure. While no direct link to a single vulnerability was confirmed, Akira is known to exploit VPNs in targeted campaigns.
Akira, first detected in March 2023, has since claimed responsibility for attacks on Stanford University, Nissan, and other high-profile targets. Arctic Wolf Labs recommends blocking VPN activity from specific hosting-related autonomous system numbers (ASNs) to reduce exposure.
Attack detected in July left SonicWall appliances vulnerable
In a separate incident disclosed by Google Threat Intelligence Group and Mandiant, a different threat actor — tracked as UNC6148 — targeted SonicWall Secure Mobile Access (SMA) 100 series appliances. The attacker loaded a persistent backdoor rootkit onto the appliance using a technique called OVERSTEP, enabling them to gain privileged control over it.
This story was originally published on Aug. 6 and updated with new information from SonicWall on Aug. 12.
For more cybersecurity news, see our coverage of researcher Mikko Hypponen’s Black Hat conference keynote tracing the history of malware.
Megan Crouse
Megan Crouse has a decade of experience in business-to-business news and feature writing, including as first a writer and then the editor of Manufacturing.net. Her news and feature stories have appeared in Military & Aerospace Electronics, Fierce Wireless, TechRepublic, and eWeek. She copyedited cybersecurity news and features at Security Intelligence. She holds a degree in English Literature and minored in Creative Writing at Fairleigh Dickinson University.
Original Post URL: https://www.techrepublic.com/article/news-sonicwall-vpn-threat-activity/
Category & Tags: Networking,News,Security,Software – Networking,News,Security,Software
Views: 3
