In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs.
While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability. In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.
Read more…
Source: Arctic Wolf
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Secure connectivity principles for Operational Technology (OT)
January 14, 2026
Operational technology (OT) environments – which have long been centred on safety, uptime, and operational continuity – are now more interconnected than ever. Driven by the need for increased efficiency, agility, and integration, these advancements offer significant operational benefits (such as real-time analytics, predictive maintenance and remote monitoring & administration), but they also introduce risks. Organisations ...
- Evasive Panda APT poisons DNS requests to deliver MgBot
December 23, 2025
The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. The group mainly performed adversary-in-the-middle (AitM) attacks on specific ...
- God Mode On: How Kaspersky attacked a vehicle’s head unit modem
December 16, 2025
Kaspersky researchers conducted a security assessment of a modern System-on-Chip (SoC), Unisoc UIS7862A, which features an integrated 2G/3G/4G modem. This SoC can be found in various mobile devices by multiple vendors or, more interestingly, in the head units of modern Chinese vehicles, which are becoming increasingly common on the roads. The head unit is one of ...
- Stay Secure: Why Cyber Hygiene Should Be Part of Your Personal Hygiene
December 16, 2025
When you hear the term “personal hygiene,” chances are you think of basic routines such as staying clean, wearing deodorant and brushing your teeth. In today’s tech-driven world, another aspect of personal hygiene deserves more attention: cyber hygiene. Cyber hygiene refers to the routine actions and practices to stay safe in our digital world. As more ...
- Amazon security boss blames Russia’s GRU for years-long energy-sector hacks
December 15, 2025
Russia’s Main Intelligence Directorate (GRU) is behind a years-long campaign targeting energy, telecommunications, and tech providers, stealing credentials and compromising misconfigured devices hosted on AWS to give the Kremlin’s snoops persistent access to sensitive networks, according to Amazon’s security boss. “The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning ...
- Hunting for Mythic in network traffic
December 11, 2025
Threat actors frequently employ post-exploitation frameworks in cyberattacks to maintain control over compromised hosts and move laterally within the organization’s network. While they once favored closed-source frameworks, such as Cobalt Strike and Brute Ratel C4, open-source projects like Mythic, Sliver, and Havoc have surged in popularity in recent years. Malicious actors are also quick to adopt ...