LG Energy Solution Hit by Akira Ransomware, Data Breach Confirmed  LG Energy Solution, a leading South Korean battery manufacturer with global operations, confirmed a significant ransomware incident affecting one of its overseas facilities in mid-November 2025. The company announced that only a "specific overseas facility" was targeted, emphasizing that its headquarters and other international sites remained unaffected.  Rapid containment and recovery efforts returned the impacted facility to normal operations, and full-scale investigations involving internal and external cybersecurity teams were launched to trace the breach’s access points and bolster defenses against future attacks. The official disclosure followed public claims by the Akira ransomware gang, which took credit for the breach and threatened to release the stolen data if their demands weren’t met. The Akira ransomware collective, flagged internationally for targeting high-value industrial companies, claimed it had exfiltrated around 1.67 terabytes of data from LG Energy Solution, including corporate documents, employee personal information (such as visas, passports, medical records, and ID cards), financial data, details about confidential projects, non-disclosure agreements, and contracts with clients and suppliers. If verified, this data trove represents a severe threat, as it contains operational blueprints, intellectual property, and sensitive workforce details potentially enabling further cyberattacks or destructive phishing schemes. Akira’s own statements suggested that they might soon publish internal documents and SQL databases unless LG Energy Solution entered into negotiations. Though the direct operational disruption at the overseas site proved temporary, the aftermath presents enduring risks. Ransomware gangs increasingly target manufacturers like LG, whose products are vital for industries such as electric vehicles and energy storage, causing ripple effects throughout global supply chains. The battery sector has seen a surge in attacks due to its strategic role, narrow recovery windows, and high-value data.  LG Energy Solution’s breach underscores growing concerns about cyber extortion targeting energy and manufacturing sectors, especially as international regulatory pressures mount and law enforcement agencies heighten scrutiny of cybercriminal operations. Industry experts forecast more ransomware attempts on energy sector companies, with supply chain vulnerabilities and third-party vendor networks presenting further risks for cascading attacks. As investigations continue, LG Energy Solution remains focused on remediation, securing network pathways, and working with authorities to mitigate long-term consequences. The incident’s true impact will also depend on whether stolen data is published, which could have severe repercussions for strategic relationships, business operations, and the wider EV battery supply chain.

LG Energy Solution Hit by Akira Ransomware, Data Breach Confirmed #AkiraRansomware #DataBreach #LGEnergySolution

LG Energy Solution Data Breach May Have Exposed 1.7TB of Employee Records and SQL Data The Akira hacking group claims to have breached LG Energy Solution, alleging the theft of 1.7 TB of sensitive data, including employee and corporate files.

Full breakdown:
www.technadu.com/lg-energy-so...

#CyberSecurity #LGES #AkiraRansomware #ThreatIntel #DataLeak #ManufacturingSecurity

Akira ransomware has targeted over 250 organizations globally, extorting $244 million. Stay vigilant and implement robust cybersecurity measures to protect your business. #CyberSecurity #Ransomware #AkiraRansomware Link: thedailytechfeed.com/akira-ransom...

Violazioni dati e ransomware colpiscono Washington Post, DoorDash e Synnovis nel 2025, tra exploit zero-day, social engineering e frodi Bitcoin miliardarie.

#AkiraRansomware #Bitcoin #cisa #databreach #Qilin #Ransomware
www.matricedigitale.it/2025/11/14/v...

Akira Ransomware Claims 23GB Data Theft in Alleged Apache OpenOffice Breach  The Akira ransomware group has reportedly claimed responsibility for breaching Apache OpenOffice, asserting that it stole 23 gigabytes of sensitive internal data from the open-source software foundation.  The announcement was made on October 29 through Akira’s dark web leak site, where the group threatened to publish the stolen files if its ransom demands were not met. Known for its double-extortion tactics, Akira typically exfiltrates confidential data before encrypting victims’ systems to increase pressure for payment.  Apache OpenOffice, a long-standing project under the Apache Software Foundation, provides free productivity tools that rival commercial platforms such as Microsoft Office. Its suite includes Writer, Calc, Impress, Draw, Base, and Math, and it supports more than 110 languages across major operating systems. The software is widely used by educational institutions, small businesses, and individuals around the world.  Despite the severity of the claims, early reports indicate that the public download servers for OpenOffice remain unaffected, meaning users’ software installations are currently considered safe.  Details of the Alleged Breach  According to Akira’s post, the data set includes personal details of employees such as home addresses, phone numbers, birth dates, driver’s licenses, Social Security numbers, and credit card information. The hackers also claim to have financial documents, internal communications, and detailed technical reports related to application bugs and development work.  In their online statement, the group said, “We will upload 23 GB of corporate documents soon,” implying the data could soon be released publicly. As of November 1, the Apache Software Foundation has not confirmed or denied the breach. Representatives have declined to comment, and independent investigators have not yet verified the authenticity of the stolen data.  Experts caution that, if genuine, the leak could expose staff to identity theft and phishing attacks. However, the open-source nature of the software itself likely limits risks to the product’s source code.  Akira’s Growing Threat  Akira emerged in March 2023 and operates as a ransomware-as-a-service network, offering its tools to affiliates in exchange for a share of the profits. The group has executed hundreds of attacks across North America, Europe, and Asia, reportedly extorting tens of millions of dollars from victims. Akira’s malware variants target both Windows and Linux systems, including VMware ESXi environments.  In some cases, the hackers have even used compromised webcams for added intimidation. The group communicates in Russian on dark web forums and is known to avoid attacking computers configured with Russian-language keyboards.  The alleged Apache OpenOffice incident comes amid a surge in ransomware attacks on open-source projects. Security experts are urging volunteer-based organizations to adopt stronger defenses, better data hygiene, and more robust incident response protocols.  Until the claim is verified or disproved, users and contributors to Apache OpenOffice are advised to stay alert for suspicious activity and ensure that backups are secure and isolated from their main systems.

Akira Ransomware Claims 23GB Data Theft in Alleged Apache OpenOffice Breach #AkiraRansomware #cyberattack #News

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC   Despite the growing cyber risk landscape in Asia-Pacific, ransomware operations continue to tighten their grip on India and the broader region, as threat actors more often seek to exploit network vulnerabilities and target critical sectors in order to get a foothold in the region.  It is essential to note that Cyble's Monthly Threat Landscape Report for July 2025 highlights a concerning trend: cybercriminals are no longer merely encrypting systems for ransom; they are systematically extracting sensitive information, selling network access, and exposing victims to the public in underground marketplaces.  In recent weeks, India has been a focal point of this escalation, with a string of damaging breaches taking place across a number of key industries. Recently, the Warlock ransomware group released sensitive information concerning a domestic manufacturing company. This information included employee records, financial reports, and internal HR files. Parallel to this, two Indian companies – a technology consulting firm and a SaaS provider – have been found posting stolen data on dark web forums that revealed information on customers, payment credentials, and server usage logs.  Further compounding the threat, the report claims that credentials granting administrative control over an Indian telecommunications provider’s infrastructure were being sold for an estimated US$35,000 as a way of monetizing network intrusions, highlighting the increasing monetization of network hacking.  Throughout the region, Thailand, Japan, and Singapore are the most targeted nations for ransomware, followed by India and the Philippines, with manufacturing, government, and critical infrastructure proving to be the most targeted sectors. As the region's digital volatility continues, the pro-India hacktivist group Team Pelican Hackers has been claiming responsibility for hacking multiple Pakistani institutions and leaking sensitive academic data and administrative data related to research projects, which demonstrates that cyber-crime is going beyond financial motives in order to serve as a form of geopolitical signaling in the region.  Security experts across the region are warning about renewed exploitation of SonicWall devices by threat actors linked to the Akira ransomware group among a growing number of ransomware incidents that have swept across the region. Since the resurgence of Akira's activity occurred in late July 2025, there has been a noticeable increase in intrusions leveraging SonicWall appliances as entry points. Rapid7 researchers have documented this increase. An attacker, according to the firm, is exploiting a critical vulnerability that dates back a year—identified as CVE-2024-40766 with a CVSS score of 9.3—that is linked to a vulnerability in the SSL VPN configuration on the device. It is clear that this issue, which led to local user passwords persisting rather than being reset after migration, has provided cybercriminals with a convenient way to compromise network defenses.  It was SonicWall who acknowledged the targeted activity, and confirmed that malicious actors were attempting to gain unauthorized access to the network using brute force. According to the company, administrators should activate Botnet Filtering for the purpose of blocking known malicious IP addresses as well as enforce strict Account Lockout policies to take immediate measures. As ransomware campaigns that exploit VPN vulnerabilities continue to increase, proactive security hygiene is becoming increasingly important.  The increasing cybercrime challenges in the Asia-Pacific region are being exacerbated by recent findings from Barracuda's SOC Threat Radar Report, which indicate a significant increase in attacks exploiting vulnerabilities in VPN infrastructures and Microsoft 365 accounts. Throughout the study, threat actors are becoming increasingly stealthy and adopting Python-based scripts to avoid detection and maintain persistence within targeted networks in order to evade detection.  It has been determined that the Akira ransomware syndicate has increased its operations significantly, compromising outdated or unpatched systems rapidly, leading to significant losses for the syndicate. A number of intrusions have been traced back to exploitation of a known flaw in SonicWall VPN appliances — CVE-2024-40766 — that allows attackers to manipulate legacy credentials that haven’t been reset after migration as a result of this flaw.  A month ago, there was a patch released which addressed the issue. However, many organizations across the APAC region have yet to implement corrective measures, leaving them vulnerable to renewed exploitation in the coming months. In multiple instances, Akira operators have been observed intercepting one-time passwords and generating valid session tokens using previously stolen credentials, effectively bypassing multi-factor authentication protocols, even on patched networks.  In order to achieve such a level of sophistication, the group often deploys legitimate remote monitoring and management tools in order to disable security software, wipe backups, and obstruct remediation attempts, allowing the group to effectively infiltrate systems without being detected. There has been a sustained outbreak of such attacks in Australia and other Asian countries, which indicates how lapses in patch management, the use of legacy accounts, and the unrotation of high-privilege credentials continue to amplify risk exposure, according to security researchers.  There is no doubt that a prompt application of patches, a rigorous password reset, and a strict credential management regime are crucial defenses against ransomware threats as they evolve. There is no doubt that manufacturing is one of the most frequently targeted industries in the Asia-Pacific region, as more than 40 percent of all reported cyber incidents have been related to manufacturing industries.  Several researchers attribute this sustained attention to the sector's intricate supply chains, its dependence on outdated technologies, and the high value of proprietary data and intellectual property that resides within operational networks, which makes it a target for cybercriminals. It has been common for attackers to exploit weak server configurations, steal credentials, and deploy ransomware to disrupt production and gain financial gain by exploiting weak server configurations.  Approximately 16 percent of observed attacks occurred in the financial sector and insurance industry, with adversaries infiltrating high-value systems through sophisticated phishing campaigns and malware. The purpose of these intrusions was not only to steal sensitive information, such as customer and payment information, but also to maintain persistent access for prolonged reconnaissance.  Among the targeted entities, the transportation industry, which accounts for around 11 percent of all companies targeted, suffered from an increase in attacks intended to disrupt logistics and operational continuity as a consequence of its reliance on remote connectivity and third-party digital infrastructure as a consequence of its heavy reliance on remote connectivity.  In the wider APAC context, cybercriminals are increasingly pursuing both operational and financial goals in these attacks, aiming to disrupt as well as monetize. It is still very common for threats actors to steal trade secrets, customer records, and confidential enterprise information, making data theft one of the most common outcomes of these attacks.  Despite the fact that credential harvesting is often facilitated by malware that steals information from compromised systems, this method of extorting continues to enable subsequent breaches and lateral movements within compromised systems. Furthermore, the extortion-based operation has evolved, with many adversaries now turning to non-encrypting extortion schemes for coercing victims, rather than using ransomware encryption to coerce victims, emphasizing the change in cyber threats within the region.  Several experts have stressed that there is no substitute for a multilayered and intelligence-driven approach to security in the Asia-Pacific region that goes beyond conventional security frameworks in order to defend against the increasing tide of ransomware. Static defenses are not sufficient in an era in which threat actors have evolved their tactics in a speed and precision that is unprecedented in history.  A defence posture that is based on intelligence must be adopted by organizations, continuously monitoring the tactics, techniques, and procedures used by ransomware operators and initial access brokers in order to identify potential intrusions before they arise. As modern "sprinter" ransomware campaigns have been exploiting vulnerabilities within hours of public disclosure, agile patch management is a critical part of this approach. There is no doubt that timely identification of vulnerable systems and remediation of those vulnerabilities, as well as close collaboration with third party vendors and suppliers to ensure consistency in patching, are critical components of an effective cyber hygiene program. It is equally important to take human factors into consideration.  The most common attack vector that continues to be exploited is social engineering. Therefore, it is important to conduct continuous awareness training tailored to employees who are in sensitive or high-privilege roles, such as IT and helpdesk workers, to reduce the potential for compromise. Furthermore, security leaders advise organizations to adopt a breach-ready mindset, which means accepting the possibility of a breach of even the most advanced defenses. If an attack occurs, containing damage and ensuring continuity of operations can be achieved through the use of network segmentation, immutable data backups, and a rigorously tested incident response plan to strengthen resilience. Using actionable intelligence combined with proactive risk management, as well as developing a culture of security awareness, APAC enterprises can be better prepared to cope with the relentless wave of ransomware threats that continue to shape the digital threat landscape and recover from them.  A defining moment in the Asia-Pacific cybersecurity landscape is the current refinement of ransomware groups' tactics as they continue to exploit every weakness in enterprise defenses. Those recent incidents of cyber-attacks using VPNs and data exfiltration incidents should serve as a reminder that cyber resilience is no longer just an ambition; it is a business imperative as well. Organizations are being encouraged to shift away from reactive patching and adopt a culture that emphasizes visibility, adaptability, and intelligence sharing as the keys to continuous security maturity.  Collaboration between government, the private sector, and the cybersecurity community can make a significant contribution to the development of early warning systems and collective response abilities. A number of measures can help organizations detect threats more efficiently, enforce zero-trust architectures, and conduct regular penetration tests, which will help them identify any vulnerabilities before adversaries take advantage of them.  Increasingly, digital transformation is accelerating across industries, which makes the importance of integrating security by design—from supply chains to cloud environments—more pressing than ever before. Cybersecurity can be treated by APAC organizations as an enabler rather than as a compliance exercise, which is important since such enterprises are able to not only mitigate risks, but also build digital trust and operational resilience during an age in which ransomware threats are persistent and sophisticated.

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC #AkiraRansomware #APACCybercrime #cyberresilience

Open-Source Red Team Tool Adaptix Framework Exploited by Cybercriminals with Russian Ties, Including Akira The Adaptix red team tool is used to deliver malicious payloads in ransomware campaigns, including Akira, with strong links to the Russian criminal underworld.

Read full details: www.technadu.com/open-source-...

💬 What’s your opinion on how open-source tools should be regulated or managed to prevent abuse? Comment below.
#CyberSecurity #Adaptix #AkiraRansomware #ThreatIntel #Infosec #TechNadu

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge  The number of active ransomware groups has reached an unprecedented high, marking a new phase in the global cyber threat landscape. According to GuidePoint Security’s latest Ransomware & Cyber Threat Report, the total number of active groups surged 57%, climbing from 49 in the third quarter of 2024 to an all-time peak of 77. Despite this sharp rise, the number of victims has remained consistent, averaging between 1,500 and 1,600 per quarter since late last year.  The United States continues to bear the brunt of these attacks, accounting for 56% of all reported victims. Germany and the United Kingdom followed distantly at 5% and 4%, respectively. Manufacturing, technology, and the legal sectors were among the hardest hit, with the manufacturing industry alone reporting 252 publicly claimed attacks in the second quarter—a 26% increase from the previous quarter.  GuidePoint’s senior threat intelligence analyst, Nick Hyatt, noted that while the overall ransomware volume has stabilized, the number of distinct groups is soaring. He explained that this growth reflects both the consolidation of experienced threat actors under major ransomware-as-a-service (RaaS) platforms and the influx of newer, less skilled operators trying to gain traction in the ecosystem.  Among the most active groups, Qilin led with a dramatic 318% year-over-year surge, claiming 234 victims this quarter. Akira followed with 130 victims, while IncRansom—first detected in August 2023—emerged as the third most active group after a sharp increase in attacks. Another rising player, SafePay, has steadily expanded its operations since its appearance in late 2024, now linked to 258 victims across 29 industries and 30 countries in 2025 alone.  GuidePoint’s researchers also observed a growing number of unclaimed or unattributed ransomware attacks, suggesting that many threat actors are either newly formed or deliberately avoiding public identification. This trend points to an increasingly fragmented and unpredictable ransomware environment.  While the stabilization in overall attack numbers might appear reassuring, experts warn against complacency. The rapid diversification of ransomware groups and the proliferation of smaller, anonymous actors underline the evolving sophistication of cybercrime. As Hyatt emphasized, this “new normal” reflects a sustained, adaptive threat landscape that demands continuous vigilance, proactive defense strategies, and cross-industry collaboration to mitigate future risks.

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge #AkiraRansomware #CyberCrime #CyberSecurityRansomwareAttacks

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices  The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear.  Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.   The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point. In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems.  Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials.  To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected.  The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices #Akira #AkiraRansomware #ArcticWolf

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit  Akira ransomware affiliates need less than four hours to breach organizations and launch attacks, according to researchers at Arctic Wolf. The group is exploiting stolen SonicWall SSL VPN credentials and has reportedly found ways to bypass multi-factor authentication (MFA). Once inside, attackers quickly begin scanning networks to identify services and weak accounts. They leverage Impacket to establish SMB sessions, use RDP for lateral movement, and eventually target Domain Controllers, virtual machine storage, and backups. Additional accounts, including domain accounts, are created to install remote monitoring and management (RMM) tools and enable data theft. The process also includes establishing command-and-control channels, exfiltrating sensitive data, disabling legitimate RMM and EDR tools, deleting shadow copies and event logs, and using WinRAR with rclone or FileZilla for data transfers. The attack culminates with the deployment of Akira ransomware. Akira activity has been rising since July 2025. Early reports suggested a SonicWall zero-day exploit, but investigations revealed attackers were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN. Though SonicWall released a patch in August 2024, some organizations failed to reset SSL VPN passwords after upgrading from Gen 6 to Gen 7 firewalls, leaving them exposed. Experts believe that attackers harvested privileged account credentials months earlier and are now reusing them against organizations that patched but never rotated passwords. Rapid7 also identified other weaknesses being exploited, including misconfigured SSLVPN Default User Group settings and the externally exposed Virtual Office Portal, which attackers use to configure OTP MFA on compromised accounts. “In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers stated. “Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.” So far, victim organizations span multiple industries and sizes, indicating opportunistic targeting rather than focused campaigns. Researchers emphasize that the minimal time between breach and ransomware execution makes early detection and rapid response essential. Defensive Measures Arctic Wolf recommends organizations take the following steps: * Monitor or block logins originating from VPS hosting providers. * Watch for abnormal SMB and LDAP activity linked to Impacket and discovery tools. * Detect unusual execution of scanning and archival utilities on servers. * Leverage App Control for Business to restrict unauthorized remote tools and block execution from untrusted paths. “If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf advised. “This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.”

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit #AkiraRansomware #ArcticWolfsecurityresearch #CVE202440766exploit

FysioRoadmap reageert op datalek en Akira ransomware breekt MFA beveiliging van SonicWall VPN / Het Cyber Journaal | Cybercrimeinfo.nl FysioRoadmap reageert op datalek en Akira ransomware breekt MFA-beveiliging van SonicWall VPN terwijl hacker groepen LAPSUS$, Scattered Spider en ShinyHunters actief blijven

FysioRoadmap reageert op datalek en Akira ransomware breekt MFA beveiliging van SonicWall VPN

www.ccinfo.nl/het-cyber-jo...

#FysioRoadMap #AkiraRansomware #MFAbeveiliging #LAPSUS$ #Cybercrime
#Cyberjournaal
#Discussiepodcast #Analysepodcast

Kampagne mit Ransomware Akira zielt auf Sonicwall-VPNs ab

#AkiraRansomware @AWNetworks #ArcticWolf #Cybersecurity #Cybersicherheit #Ransomware #Security #Sonicwall #SSLVPN

netzpalaver.de/2025/...

Akira ransomware breaching MFA-protected SonicWall VPN accounts loaded on their devices after connecting the attacks read more about Akira ransomware breaching MFA-protected SonicWall VPN accounts

Akira ransomware breaching MFA-protected SonicWall VPN accounts reconbee.com/akira-ransom...

#Akiraransomware #MFA #sonicWall #VPN #cyberattack

Akira ransomware colpisce SonicWall VPN, l’UE indaga SAP per pratiche anti-competitive e Oyster malware si diffonde tramite falsi installer Teams.

#AkiraRansomware #malvertising #Oyster #SAP #SonicWall #UE
www.matricedigitale.it/2025/09/28/a...

Ransomware Groups Still Exploiting SonicWall Firewall Vulnerability Despite Patch   More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations. Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall. Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware. CVE-2024-40766, which remains unpatched in some environments. A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains: “This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.” Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts. The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766. According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer. Recommended Mitigations Organizations relying on SonicWall firewalls are advised to: * Rotate passwords on all SonicWall local accounts and delete unused ones. * Enforce MFA/TOTP for SSLVPN services. * Set the Default LDAP User Group to “None.” * Restrict Virtual Office Portal access to trusted local networks and closely monitor usage. * Ensure all appliances run the latest firmware updates. SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.

Ransomware Groups Still Exploiting SonicWall Firewall Vulnerability Despite Patch #AkiraRansomware #CVE202440766 #SonicOS730

SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers advised customers read more about SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers

SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers reconbee.com/sonicwall-ss...

#SonicWall #SSL #VPN #AKIRA #akiraransomware #hackers #cyberattack

Akira ransomware crims abusing trifecta of SonicWall flaws : Patch, turn on MFA, and restrict access to trusted networks…or else

Akira ransomware exploits three SonicWall flaws—including CVE-2024-40766 and SSLVPN misconfigs—to breach networks fast. Patch, enable MFA, and restrict access now. 🔐⚠️ #AkiraRansomware #Vulnerability

Akira ransomware crims abusing trifecta of SonicWall flaws : Patch, turn on MFA, and restrict access to trusted networks…or else

#Akira #ransomware crims abusing trifecta of #SonicWall security holes for extortion attacks
www.theregister.com/2025/09/10/a...

#Patch, turn on #MFA, and restrict access to trusted networks... or else.
#CyberSecurity #InfoSec #CyberCrime #ThreatIntelligence #AkiraRansomware #CVE202440766

🚨 Akira ransomware gang claims to have breached Michigan Sugar
📂 40 GB stolen (corporate + driver’s licenses + medical info)
🌾 3rd-largest U.S. beet sugar processor now targeted
Critical industries are no longer safe from ransomware.

#AkiraRansomware #CyberAttack #DataBreach #MichiganSugar

Hackers Bypassed Microsoft Defender to Deploy Ransomware on PCs  GuidePoint Security's latest report reveals a sophisticated Akira ransomware campaign exploiting SonicWall VPNs through the strategic use of malicious Windows drivers. The campaign, which began in late July 2025, represents a significant escalation in the group's tactics for evading security controls.  From late July through early August 2025, multiple security vendors reported a surge in Akira ransomware deployments following SonicWall VPN exploitation. While the underlying cause remains disputed—potentially involving a zero-day vulnerability—SonicWall has acknowledged the activity but hasn't disclosed specific vulnerability details.  Key technical findings  GuidePoint's incident response teams identified two drivers consistently used by Akira affiliates in a Bring Your Own Vulnerable Driver (BYOVD) attack chain:  Primary Driver - rwdrv.sys: This legitimate driver from ThrottleStop, a Windows performance monitoring utility for Intel CPUs, is being weaponized by attackers. Once registered as a service, it provides kernel-level access to compromised systems, essentially giving attackers the highest privileges possible on Windows machines.  Secondary Driver - hlpdrv.sys: This malicious driver specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through automated registry edits. The driver's hash has been identified in commercial malware repositories.  The researchers suspect the legitimate rwdrv.sys driver enables execution of the malicious hlpdrv.sys driver, though the exact mechanism remains unclear.  Detection and response GuidePoint has developed a comprehensive YARA rule to detect the malicious hlpdrv.sys driver based on its PE structure, imports, and associated strings. The rule validates specific characteristics including section layouts, import functions from ntoskrnl.exe, and unique artifact strings. The report provides critical Indicators of Compromise (IOCs), including file paths typically found in Users$$REDACTED]\AppData\Local\Temp\ and service registrations under names "mgdsrv" and "KMHLPSVC".  Mitigation tips  SonicWall has issued specific hardening recommendations for organizations using their VPN solutions:  * Disable SSLVPN services where operationally feasible. * Restrict SSLVPN connectivity to trusted source IP addresses only.  * Enable comprehensive security features including Botnet protection and Geo-IP filtering. * Enforce multi-factor authentication (MFA) for all VPN access. * Remove unused accounts and maintain strict password hygiene practices.  This campaign highlights Akira's evolution toward more sophisticated anti-detection techniques, moving beyond simple encryption to actively disabling endpoint security solutions. The consistent use of these drivers across multiple incident response cases makes them high-fidelity indicators for both proactive threat hunting and forensic analysis.  The report emphasizes that defenders should prioritize log review and YARA rule deployment to identify pre-ransomware activity, potentially enabling intervention before full system compromise occurs.

Hackers Bypassed Microsoft Defender to Deploy Ransomware on PCs #AkiraRansomware #GuidePointSecurity #MicrosoftDefender

Akira ransomware turns off Windows Defender to install malware on Windows devices Akira ransomware strikes again. This time, it has abused an Intel CPU tuning driver to stop Microsoft Defender in attacks from EDRs and security tools active on target devices. Windows defender turned off for attacks The exploited driver is called “rwdrv.sys” (used by ThrottleStop), which the hackers list as a service that allows them to gain kernel-level access. The driver is probably used to deploy an additional driver called “hlpdrv.sys,” a hostile tool that modifies Windows Defender to shut down its safety features. 'Bring your own vulnerable driver' attack Experts have termed the attack “Bring your vulnerable driver (BYOVD), where hackers use genuine logged-in drivers that have known bugs that can be exploited to get privilege escalation. The driver is later used to deploy a hostile that turns off Microsoft Defender. According to the experts, the additional driver hlpdrv.sys is “similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware.” The malware achieves this by executing regedit.exe.  Discovery of the Akira ransomware attack The technique was observed by Guidepoint Security, which noticed repeated exploitation of the rwdrv.sys driver in Akira ransomware attacks. The experts flagged this tactic due to its ubiquity in the latest Akira ransomware incidents. “This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” the report said.  To assist security experts in stopping these attacks, Guidepoint Security has offered a YARA rule for hlpdrv.sys and complete indicators of compromise (IoCs) for the two drivers, as well as their file paths and service names. SonicWall VPN attack Akira ransomware was also recently associated with SonicWall VPN attacks. The threat actor used an unknown bug. According to Guidepoint Security, it could not debunk or verify the abuse of a zero-day flaw in SonicWall VPNs by the Akira ransomware gang. Addressing the reports, SonicWall has advised to turn off SSLVPN, use two-factor authentication (2FA), remove inactive accounts, and enable Botnet/Geo-IP safety. The DFIR report has also released a study of the Akira ransomware incidents, revealing the use of Bumblebee malware loader deployed through trojanized MSI loaders of IT software tools.

Akira ransomware turns off Windows Defender to install malware on Windows devices #AI #AkiraRansomware #Bugs

Possible Zero-Day Exploit in SonicWall SSL VPN Linked to Akira Ransomware Surge   Cybersecurity researchers are warning that SonicWall SSL VPN devices may be affected by a possible zero-day vulnerability currently being exploited by Akira ransomware operators. In mid-July 2025, Arctic Wolf Labs detected a spike in suspicious logins through SonicWall SSL VPN endpoints. Notably, some compromised devices were fully patched, leading researchers to suspect the presence of an undiscovered flaw. However, they also acknowledged the possibility that attackers had obtained valid credentials from another source. Regardless of the entry method, targeted organizations soon fell victim to Akira ransomware. "A short interval was observed between initial SSL VPN account access and ransomware encryption," Arctic Wolf researchers noted. They further explained that, unlike legitimate VPN logins that usually come from consumer ISP networks, ransomware operators often rely on Virtual Private Server (VPS) hosting for authentication in compromised systems. Until SonicWall issues a patch or clarifies the situation, experts advise businesses to implement multi-factor authentication (MFA), remove inactive firewall accounts, and ensure all passwords are strong, unique, and regularly updated. Akira, which first appeared in March 2023, has attacked organizations across various industries, exploiting stolen VPN credentials and exposed services to infiltrate systems. The group targets both Windows and Linux environments, often deleting backups to prevent recovery. By mid-2025, Akira had claimed hundreds of victims worldwide, including Stanford University, Nissan Australia, and Tietoevry. Communications with victims are typically directed through a Tor-based website. The FBI and CISA have previously warned about Akira’s operations, urging companies to bolster defenses and enforce MFA. In an official statement, SonicWall confirmed to TechRadar: "SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability. As always, we will communicate openly with our partners and customers as the investigation progresses. If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible. As a precaution, we strongly urge customers and partners using Gen 7 firewalls to take immediate mitigation steps: Disable SSLVPN services where practical - the additional mitigations below should be taken in all cases, including where disabling SSLVPN is not practical for the customer o Limit SSLVPN connectivity to trusted source IPs.o Ensure Security Services (e.g., Botnet Protection, Geo-IP Filter) are enabled.o Remove unused or inactive firewall user accounts.o Promote strong password hygiene.o Enforce Multi-Factor Authentication (MFA) for all remote access (MFA enforcement alone may not protect against the activity under investigation)."

Possible Zero-Day Exploit in SonicWall SSL VPN Linked to Akira Ransomware Surge #AkiraRansomware #cybersecuritythreat #SonicWallSSLVPN

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks  Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security.  When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations.  Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July.  Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials.  In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly.  The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption.  Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access.  However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential.  SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks #AkiraRansomware #BusinessSecurity #CyberAttacks

Akira Ransomware Wave Targets SonicWall Firewall Devices  Cybersecurity firms report a late-July surge of Akira ransomware intrusions against SonicWall firewall devices, with evidence pointing to attackers entering via SonicWall SSL VPN connections and rapidly moving to encrypt data shortly after gaining access.  While a previously unknown vulnerability is considered highly plausible, researchers have not ruled out credential-based entry methods such as brute force, dictionary attacks, or credential stuffing. Given the uncertainty, defenders are advised to temporarily disable SonicWall SSL VPN, enhance logging and endpoint monitoring, and block VPN authentications from hosting providers until patches or clearer guidance are available.  Arctic Wolf detected these SonicWall-linked VPN intrusions beginning July 15, noting that malicious logins have a history dating back to at least October 2024, and that attackers often authenticate from virtual private server infrastructure rather than consumer ISPs. Huntress corroborated Arctic Wolf’s findings and shared indicators of compromise, while additional community discussion appeared on Reddit. The campaign highlights a rapid transition from initial VPN access to encryption, consistent with recent Akira activity patterns.  Additionally, SonicWall urged customers to patch SMA 100 appliances for a separate critical flaw (CVE-2025-40599) that could allow remote code execution if an attacker already has admin rights. Although there was no evidence that CVE-2025-40599 was being exploited, Google’s Threat Intelligence Group reported adversaries using compromised credentials to deploy a new OVERSTEP rootkit on these devices. SonicWall advised SMA 100 customers to check GTIG’s IOCs, scrutinize logs for suspicious access, and contact support if compromise is suspected.  Akira, active since March 2023, has claimed more than 300 victims on its leak site, including high-profile organizations, and the FBI estimated over $42 million in ransom payments from more than 250 victims as of April 2024. With the current SonicWall-focused wave still under investigation, security teams are urged to harden remote access, enable detailed monitoring, and be prepared for rapid containment if suspicious VPN activity is detected.

Akira Ransomware Wave Targets SonicWall Firewall Devices #AkiraRansomware #ArcticWolf #SecurityBreach