Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Akira ransomware group SonicWall initial-access campaign

Campaign
First reported
Last updated
Happening score
H score 62
4 unique sources, 4 articles

Summary

Hide ▲

The Akira ransomware group is associated with a continuing SonicWall SSL VPN initial-access campaign that uses CVE-2024-40766 and related credential abuse to breach victim networks. A newer victim-impact update shows Marquis Software Solutions was hit by a ransomware attack on August 14, 2025 through a SonicWall firewall, exposing files with personal information for customers of 74 banks and credit unions and affecting over 400,000 customers. Marquis says there is no evidence the data has been misused or published, while the breach details reinforce the campaign’s focus on SonicWall VPN access and post-compromise theft.

Cases

Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766 (4) Akira exploitation of SonicWall SSL VPN flaw CVE-2024-40766 (4)

Related Happenings

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Open Happening

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

Timeline

  1. 04.12.2025 00:06 1 articles · 5mo ago

    Marquis Software Solutions breach impacts over 400,000 customers

    Victim Impact Update

    Marquis Software Solutions says a ransomware attack on August 14, 2025 breached its network through a SonicWall firewall and exposed files containing personal information for customers of 74 banks and credit unions, affecting over 400,000 customers; Marquis says there is no evidence the data has been misused or published anywhere.

    Show sources
    Open in new tab
  2. 11.09.2025 13:33 4 articles · 8mo ago

    Akira targeting of SonicWall devices for initial access

    Campaign Scope Update

    Rapid7 and SonicWall described continued Akira-affiliated targeting of SonicWall devices for initial access, with increased intrusions over the past month and renewed activity since late July 2025. SonicWall tied the abuse to CVE-2024-40766, warning that brute-forced credentials, misconfigured LDAP SSL VPN Default User Groups, and exposed Virtual Office Portal access can let compromised accounts inherit sensitive permissions and enable unauthorized network access.

    Show sources
    Open in new tab