A recent wave of ransomware attacks targeting SonicWall firewall devices may be related to a zero-day vulnerability in the products, according to researchers.

Anomalous firewall activity that began on July 15 and involved VPN access through SonicWall SSL VPNs morphed into intrusions the following week, researchers at Arctic Wolf said.

“This appears to be affecting SonicOS devices from what we’ve seen so far,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Cybersecurity Dive. “Our investigation is still preliminary, so I’m not able to offer much more detail yet.”

Hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs, according to the researchers.

Similar activity occurred in 2024 when hackers targeted a SonicWall vulnerability  tracked as CVE-2024-40766. 

Arctic Wolf said it could not rule out brute-force attacks or credential stuffing, although it said it had seen several cases in which the hackers compromised fully patched SonicWall devices whose owners had rotated their credentials. The researchers have also seen hackers breach systems that used multifactor authentication.

The researchers shared their findings with SonicWall and are working to provide updated information.

"We have observed a small uptick in reported cases over the last 48 hours of cyber incidents where SSLVPN is enabled, including recent activity reported by the Arctic Wolf threat research team,” a spokesperson for SonicWall told Cybersecurity Dive. “We are investigating these cases to determine if they are related to a previously-disclosed or new SonicWall vulnerability, and we will continue cooperating with threat research teams and our partners and customers as our investigation progresses."

(Updates with comment from SonicWall)