SonicWall suffered a **prolonged ransomware campaign** by the **Akira group**, exploiting compromised VPN credentials (SSLVPN services) as the primary initial access vector. The attack involved **credential stuffing and brute-force techniques**, targeting weak or absent MFA controls and insufficient lockout policies. The breach extended to SonicWall’s **cloud service**, exposing **sensitive configuration backups** of client devices—critical data that could facilitate further attacks on customers. Akira accounted for **39% of Beazley’s incident response cases** in Q3, highlighting systemic vulnerabilities in SonicWall’s security posture. The incident underscores the risk of **leaked credentials on the dark web**, which were weaponized to deploy ransomware across multiple victim environments. The compromise not only disrupted SonicWall’s operations but also **amplified supply-chain risks** for its clients, as attackers leveraged stolen backups to exploit downstream targets. The financial and reputational damage includes **regulatory scrutiny, customer distrust, and potential litigation**, compounded by the **operational outages** caused by ransomware encryption. The attack also revealed **critical gaps in patch management**, as Akira exploited unpatched systems alongside weak credential hygiene. While the report does not confirm data exfiltration beyond configuration backups, the **potential for broader data leaks** (e.g., customer or employee PII) remains a latent risk, given the nature of ransomware operations. The incident aligns with broader trends where **VPN appliances are prime targets**, with SonicWall’s breach serving as a case study in how **initial access brokers monetize stolen credentials** to deploy high-impact ransomware.
Source: https://thecyberexpress.com/stolen-vpn-credentials-most-common-ransomware-attack-vector/
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
"id": "SON5792057112025",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Multiple (via Cloud Service '
'Breach)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'SonicWall',
'type': 'Technology Vendor'},
{'industry': 'Networking',
'location': 'Global',
'name': 'Cisco',
'type': 'Technology Vendor'},
{'industry': 'Virtualization/Networking',
'location': 'Global',
'name': 'Citrix',
'type': 'Technology Vendor'},
{'industry': 'Multiple',
'location': 'Global',
'name': 'Unnamed Victims of Akira/Qilin/INC Ransomware',
'type': ['Enterprises', 'Organizations']}],
'attack_vector': ['Compromised VPN Credentials (48%)',
'External Service Exploitation (24%)',
'Remote Desktop Service (RDS) Credential Compromise (6%)',
'Supply Chain Attacks (6%)',
'Social Engineering (6%)',
'SEO Poisoning (Rhysida)',
'Malicious Advertisements',
'Phishing (Qilin, INC)',
'Exploitation of Enterprise Appliances (INC)',
'Credential Stuffing (Akira)',
'Brute Force Attacks (Akira, Qilin)'],
'customer_advisories': ['SonicWall (Cloud Breach Notification)'],
'data_breach': {'data_encryption': 'Yes (Ransomware Attacks)',
'data_exfiltration': 'Likely (Akira/Qilin/INC Modus Operandi)',
'personally_identifiable_information': 'Potential (Via '
'Credential '
'Theft/Ransomware)',
'sensitivity_of_data': ['High (Configuration Backups)',
'Potentially High (Ransomware)'],
'type_of_data_compromised': ['Configuration Backups '
'(SonicWall Cloud)',
'Potential PII/Enterprise Data '
'(Ransomware)']},
'date_publicly_disclosed': '2024-10-01T00:00:00Z',
'description': 'A report by Beazley Security highlights that nearly half '
'(48%) of ransomware attacks in Q3 2024 abused compromised VPN '
'credentials as the initial access vector. The Akira '
'ransomware group was particularly active, exploiting '
'SonicWall VPN vulnerabilities (including credential stuffing '
'and brute force attacks) due to weak MFA policies and '
'unpatched systems. Other ransomware groups like Qilin and INC '
'also leveraged VPN/RDP credential compromises, while '
'vulnerabilities in Cisco ASA, Citrix NetScaler, and SEO '
'poisoning (e.g., Rhysida ransomware) were additional attack '
'vectors. The report emphasizes the critical need for MFA, '
'dark web monitoring for leaked credentials, and compensating '
'controls for MFA-exempt accounts.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in VPN/RDP Security',
'Reputational Damage to '
'SonicWall/Cisco/Citrix'],
'data_compromised': ['Sensitive Configuration Backups (SonicWall '
'Cloud Breach)',
'Potential PII/Enterprise Data (via '
'Ransomware)'],
'identity_theft_risk': ['High (Due to Credential Theft)'],
'operational_impact': ['Disrupted Remote Access',
'Potential Data Encryption (Ransomware)',
'Supply Chain Risks'],
'systems_affected': ['SonicWall VPN Devices',
'Cisco ASA VPN Appliances',
'Citrix NetScaler Gateways',
'Enterprise Endpoints (via SEO Poisoning)']},
'initial_access_broker': {'backdoors_established': 'Likely '
'(Post-Exploitation)',
'data_sold_on_dark_web': 'Likely (Compromised '
'Credentials)',
'entry_point': ['VPN Credentials (48%)',
'RDP (6%)',
'External Services (24%)',
'SEO Poisoning (Rhysida)'],
'high_value_targets': ['Enterprise Appliances '
'(SonicWall/Cisco/Citrix)',
'Configuration Backups']},
'investigation_status': 'Completed (Beazley Security Analysis)',
'lessons_learned': ['MFA is critical for VPN/RDP access but must be '
'universally applied (no exceptions).',
'Dark web monitoring for leaked credentials can preempt '
'attacks.',
'Unpatched enterprise appliances (SonicWall/Cisco/Citrix) '
'are high-value targets.',
'SEO poisoning and malicious ads bypass traditional email '
'filters, requiring endpoint protection.',
'Credential stuffing/brute force attacks exploit weak '
'lockout policies and password hygiene.'],
'motivation': ['Financial Gain (Ransomware)',
'Data Theft',
'Unauthorized Access'],
'post_incident_analysis': {'corrective_actions': ['Mandate MFA for all remote '
'access.',
'Enforce password '
'complexity and lockout '
'policies.',
'Prioritize patching for '
'internet-facing '
'appliances.',
'Deploy dark web monitoring '
'for credential leaks.',
'Train users on SEO '
'poisoning and social '
'engineering risks.'],
'root_causes': ['Lack of Universal MFA on VPN/RDP',
'Weak Lockout Policies (SonicWall)',
'Unpatched Critical '
'Vulnerabilities (Cisco/Citrix)',
'Credential Hygiene Failures '
'(Reused/Weak Passwords)',
'Insufficient Dark Web Monitoring '
'for Leaked Credentials']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Likely (Double Extortion Tactics)',
'ransomware_strain': ['Akira', 'Qilin', 'INC', 'Rhysida']},
'recommendations': ['Enforce MFA for all remote access solutions (VPN, RDP, '
'etc.) without exceptions.',
'Implement dark web monitoring for leaked credentials.',
'Apply patches promptly for critical vulnerabilities '
'(e.g., Cisco/Citrix).',
'Strengthen lockout policies to thwart brute force '
'attacks.',
'Educate users on SEO poisoning risks (e.g., fake '
'productivity tools).',
'Segment networks to limit lateral movement '
'post-compromise.',
'Audit and remove default/weak credentials from '
'enterprise appliances.'],
'references': [{'date_accessed': '2024-10-01',
'source': 'Beazley Security Q3 2024 Ransomware Report'}],
'response': {'communication_strategy': ['Public Report by Beazley Security'],
'containment_measures': ['MFA Enforcement for Remote Access',
'Dark Web Monitoring for Leaked '
'Credentials',
'Patching Critical Vulnerabilities '
'(Cisco/Citrix)',
'Compensating Controls for MFA-Exempt '
'Accounts'],
'enhanced_monitoring': ['Dark Web Monitoring for Credentials'],
'incident_response_plan_activated': 'Yes (Beazley Security '
'Incident Response)',
'remediation_measures': ['Credential Rotation for Compromised '
'Accounts',
'Lockout Policy Enhancements '
'(SonicWall)',
'VPN/RDP Hardening'],
'third_party_assistance': ['Beazley Security '
'(Insurance/Cybersecurity Arm)']},
'stakeholder_advisories': ['Beazley Security Report (Public)'],
'threat_actor': ['Akira',
'Qilin',
'INC Ransomware',
'Rhysida',
'Unnamed Sophisticated Threat Actor (Cisco Exploits)'],
'title': 'Rise in Ransomware Attacks Exploiting Compromised VPN Credentials '
'in Q3 2024',
'type': ['Ransomware', 'Credential Theft', 'Vulnerability Exploitation'],
'vulnerability_exploited': ['SonicWall SSLVPN (Weak MFA/Access Controls)',
'CVE-2025-20333 (Cisco ASA VPN)',
'CVE-2025-20363 (Cisco ASA VPN)',
'CVE-2025-20352 (Cisco IOS SNMP Flaw)',
'CVE-2025-7775 (Citrix NetScaler)',
'CVE-2025-5777 (Citrix Bleed 2)']}