CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Timeline

  1. 11.09.2025 13:33 πŸ“° 2 articles Β· ⏱ 6d ago

    Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

    Since late July 2025, the Akira ransomware group has been actively targeting SonicWall SSL VPN devices for initial access. The group exploits a year-old vulnerability (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and infiltrate networks. The Australian Cyber Security Centre (ACSC) has issued an alert about the increased exploitation of this vulnerability. Cybersecurity firm Rapid7 has reported a resurgence in Akira ransomware attacks on SonicWall devices, likely due to incomplete remediation. SonicWall has confirmed that the recent activity is not connected to a zero-day vulnerability but is related to CVE-2024-40766. The vendor has advised system administrators to update to firmware version 7.3.0 or later, rotate passwords, enforce multi-factor authentication (MFA), and restrict Virtual Office Portal access to trusted/internal networks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Open in new tab

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.

Open in new tab

Massive 1.5 Bpps DDoS attack targets European DDoS mitigation provider

A European DDoS mitigation service provider was targeted in a large-scale DDoS attack reaching 1.5 billion packets per second (Bpps). The attack originated from thousands of compromised IoT devices and MikroTik routers across over 11,000 unique networks worldwide. FastNetMon mitigated the attack using real-time detection and edge router ACLs. The attack aimed to exhaust processing abilities and cause service outages. This event highlights the growing threat of massive DDoS attacks leveraging compromised consumer hardware. The attack was a UDP flood, and mitigation involved deploying access control lists (ACLs) on edge routers. FastNetMon's founder emphasized the need for ISP-level intervention to prevent such attacks.

Open in new tab

Scattered Spider Social Engineering Attack on Clorox via Cognizant Service Desk

In August 2023, the Scattered Spider group exploited human fallibility to hack Clorox by repeatedly calling the service desk run by Cognizant. The attackers impersonated locked-out employees and requested password and MFA resets without proper verification. This led to domain-admin access and significant financial damage, including $380 million in losses due to operational paralysis and data loss. The attack highlights the risks of weak verification processes in outsourced service desks. The attackers successfully obtained repeated resets by mimicking legitimate user behavior and pressuring service desk agents to skip security protocols. The impact included production system outages, manufacturing pauses, manual order processing, and shipment delays, resulting in substantial business-interruption losses and remedial costs. The incident underscores the importance of robust caller verification and enforcement of security protocols in third-party service desks to prevent similar attacks.

Open in new tab