In Q3 2025, SonicWall faced a prolonged ransomware campaign by the **Akira group**, exploiting weak access controls in its **SSLVPN services**. Attackers leveraged **credential stuffing** to bypass authentication, targeting devices with **absent MFA and insufficient lockout policies**. The breach enabled unauthorized access to corporate networks, potentially exposing sensitive data and operational integrity. While the report does not confirm data exfiltration, the exploitation of SonicWall’s security appliances—critical for VPN access—poses severe risks, including **lateral movement into customer environments, financial fraud, or operational disruptions**. The incident underscores systemic vulnerabilities in access management, with attackers commoditizing stolen credentials via infostealers like **Rhadamanthys**. Though no direct customer data leak was confirmed, the compromise of VPN infrastructure threatens **financial reputation, regulatory compliance, and trust in SonicWall’s security products**. Mitigation required emergency patches, MFA enforcement, and forensic investigations to assess potential downstream impacts.
Source: https://www.infosecurity-magazine.com/news/half-ransomware-access-hijacked/
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
"id": "SON3832338111925",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'location': 'Global',
'name': 'SonicWall',
'type': 'Technology Vendor'},
{'industry': 'Software',
'location': 'Global',
'name': 'Microsoft (SharePoint)',
'type': 'Technology Vendor'},
{'industry': 'File Transfer',
'location': 'Global',
'name': 'CrushFTP',
'type': 'Software Vendor'},
{'industry': 'Networking',
'location': 'Global',
'name': 'Cisco (ASA VPN)',
'type': 'Technology Vendor'},
{'industry': 'Virtualization/Networking',
'location': 'Global',
'name': 'Citrix (NetScaler)',
'type': 'Technology Vendor'},
{'industry': 'Multiple',
'location': 'Global',
'name': 'Unspecified Organizations (Ransomware '
'Victims)',
'type': ['Corporate',
'Government',
'Healthcare',
'Education']}],
'attack_vector': ['Compromised VPN Credentials (48%)',
'External Service Exploits (23%)',
'Credential Stuffing',
'Zero-Day Vulnerabilities'],
'customer_advisories': ['Urgent Patching Notices',
'MFA Enforcement Guidelines'],
'data_breach': {'data_encryption': 'Yes (Ransomware)',
'data_exfiltration': 'Likely (Ransomware Double Extortion)',
'personally_identifiable_information': 'Potential (via '
'Infostealers)',
'sensitivity_of_data': ['High (Credentials)',
'Variable (Corporate/Data Theft)'],
'type_of_data_compromised': ['VPN Credentials',
'Corporate Data (Ransomware)',
'Potential PII (Infostealers)']},
'date_detected': '2025-07-01',
'date_publicly_disclosed': '2025-10-01',
'description': 'Ransomware attacks surged in Q3 2025, with Akira, Qilin, and '
'INC Ransomware groups accounting for 65% of cases. Initial '
'access was primarily achieved via compromised VPN credentials '
'(48% of breaches), followed by external service exploits '
'(23%). Akira targeted SonicWall SSLVPN appliances using '
'credential stuffing attacks, exploiting weak access controls '
'like absent MFA. The quarter also saw a 38% increase in '
'zero-day vulnerability advisories, including critical flaws '
'in Microsoft SharePoint, CrushFTP, Cisco ASA VPN, and Citrix '
'NetScaler. Beazley emphasized the need for continuous '
'vulnerability management and robust MFA policies.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in Affected '
'VPN/Software Vendors',
'Reputational Damage to Victim '
'Organizations'],
'data_compromised': ['VPN Credentials',
'Corporate Data (via Ransomware)',
'Potential PII (via Infostealers)'],
'identity_theft_risk': ['High (via Stolen Credentials)',
'Potential Follow-on Attacks'],
'operational_impact': ['Disrupted Business Operations (Ransomware)',
'Increased Incident Response Workload',
'Potential Supply Chain Risks'],
'systems_affected': ['SonicWall SSLVPN Appliances',
'Microsoft SharePoint',
'CrushFTP Servers',
'Cisco ASA VPN',
'Citrix NetScaler']},
'initial_access_broker': {'backdoors_established': 'Likely '
'(Post-Exploitation)',
'data_sold_on_dark_web': ['Stolen Credentials (via '
'Infostealers like '
'Rhadamanthys)',
'Potential Ransomware '
'Data Leaks'],
'entry_point': ['Compromised VPN Credentials (48%)',
'External Service Exploits (23%)'],
'high_value_targets': ['VPN Appliances',
'Corporate Data Repositories',
'Zero-Day Vulnerable '
'Systems'],
'reconnaissance_period': 'Prolonged (Akira Campaign '
'Against SonicWall)'},
'investigation_status': 'Ongoing (Beazley Security Labs & Affected Vendors)',
'lessons_learned': ['Credential stuffing and weak MFA policies are primary '
'attack vectors for ransomware groups.',
'Zero-day exploits require continuous vulnerability '
'management and proactive mitigations.',
'Infostealers (e.g., Rhadamanthys) fuel credential-based '
'attacks, necessitating monitoring of cybercrime markets.',
'Exposed, unpatched devices should be assumed compromised '
'and investigated.'],
'motivation': ['Financial Gain (Ransomware)',
'Data Theft (Credential Harvesting)',
'Cybercrime-as-a-Service (Infostealers)'],
'post_incident_analysis': {'corrective_actions': ['Mandatory MFA for all '
'remote access (VPN, RDP).',
'Automated vulnerability '
'scanning and patch '
'prioritization.',
'Dark web monitoring for '
'credential leaks.',
'Network segmentation and '
'micro-segmentation for '
'critical assets.',
'Incident response '
'playbooks updated for '
'ransomware/zero-day '
'scenarios.'],
'root_causes': ['Weak MFA and lockout policies on '
'VPNs (SonicWall).',
'Delayed patching of zero-day '
'vulnerabilities (CVE-2025-*).',
'Commoditization of stolen '
'credentials via infostealers '
'(e.g., Rhadamanthys).',
'Insufficient network segmentation '
'enabling lateral movement.']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Likely (Double Extortion Tactics)',
'ransomware_strain': ['Akira', 'Qilin', 'INC Ransomware']},
'recommendations': ['Implement comprehensive MFA and conditional access '
'policies for VPNs/remote access.',
'Enforce strong lockout policies and password hygiene to '
'mitigate credential stuffing.',
'Adopt continuous vulnerability management with '
'prioritized patching for critical CVEs.',
'Assume breach for internet-exposed, vulnerable devices '
'and conduct thorough investigations.',
'Monitor dark web for stolen credentials and proactively '
'rotate compromised accounts.',
'Segment networks to limit lateral movement in case of '
'ransomware infections.',
'Deploy behavioral WAFs and anomaly detection for '
'zero-day exploit prevention.'],
'references': [{'source': 'Beazley Security Q3 2025 Report'},
{'source': 'SonicWall SSL VPN Attacks Escalate, Bypassing MFA'},
{'source': 'NIST CVE Database (CVE-2025-53770, CVE-2025-54309, '
'etc.)',
'url': 'https://nvd.nist.gov/'}],
'response': {'communication_strategy': ['Beazley Security Advisories',
'Vendor Security Bulletins (e.g., '
'SonicWall, Microsoft)'],
'containment_measures': ['Temporary Mitigations for Zero-Days',
'Network Access Lockdowns',
'Credential Rotation (for VPNs)'],
'enhanced_monitoring': 'Recommended (for Zero-Day Exploits)',
'incident_response_plan_activated': 'Likely (Beazley Insurance '
'Clients)',
'network_segmentation': 'Recommended (for Critically Vulnerable '
'Devices)',
'remediation_measures': ['Patch Management for Zero-Days '
'(CVE-2025-*)',
'MFA Enforcement for VPNs',
'Access Control Hardening (Lockout '
'Policies)'],
'third_party_assistance': ['Beazley Security Labs',
'Cybersecurity Vendors (e.g., '
'SonicWall, Microsoft)']},
'stakeholder_advisories': ['Beazley Security Advisories',
'Vendor Patches/Workarounds (SonicWall, Microsoft, '
'etc.)'],
'threat_actor': ['Akira Ransomware',
'Qilin Ransomware',
'INC Ransomware',
'Rhadamanthys Infostealer'],
'title': 'Q3 2025 Ransomware Surge and VPN Credential Exploits',
'type': ['Ransomware', 'Credential Stuffing', 'Zero-Day Exploits'],
'vulnerability_exploited': ['Weak Access Controls (Absent MFA, Insufficient '
'Lockout Policies) in SonicWall SSLVPN',
'CVE-2025-53770 (Microsoft SharePoint '
"'ToolShell')",
'CVE-2025-54309 (CrushFTP)',
'CVE-2025-20333 & CVE-2025-20363 (Cisco ASA VPN)',
'CVE-2025-7775 (Citrix NetScaler)']}