speartip

SpearTip Security Bulletin: SonicWall VPN Infrastructure Targeted

Cybersecurity Services by SpearTipNewsAugust 4, 2025

Share this

SpearTip is issuing this advisory based on recent threat intelligence and observed activity targeting SonicWall VPN infrastructure across multiple environments. We have identified network activity consistent with previously documented exploit techniques targeting SonicWall VPN services. Specifically, threat actors are conducting TLS-based interaction attempts originating from known malicious infrastructure. The observed patterns closely resemble behavior associated with earlier exploitation campaigns but may represent variations or developments in technique.

While the currently observed activity shares indicators with known exploitation methods, the possibility remains that this represents an emergent or modified vulnerability that has not yet been formally identified or disclosed. Notably, some observed logins appear to successfully bypass multi-factor authentication (MFA), allowing the threat actor to authenticate using valid credentials. In many cases, encryption of systems has occurred within hours of this initial access.

Key Observations

– Inbound SSL/TLS connection attempts originating from known malicious IP addresses (identified via public and private threat intelligence sources)

– Successful completion of TLS handshakes over port 443 with no clear corresponding legitimate user activity

– Repeated interactions from the same external infrastructure across distinct timeframes

– Evidence of MFA-bypassed logins followed by lateral movement to domain controllers

– Post-compromise activities include ransomware deployment and creation of persistent user accounts

– Encryption often occurs within hours of initial access

Recommendations

– Disable SonicWall VPN services until a patch or further guidance is released by SonicWall

– Monitor VPN gateway logs for anomalous or unexpected inbound traffic patterns

– Review and restrict access to management interfaces from external sources

– Implement GeoIP-based access control or IP allowlisting where feasible

– Immediately block the following known IOC IP addresses:

142.252.99.59

45.86.208.240

77.247.126.239

104.238.205.105

193.239.236.149

104.238.220.216

193.163.194.7

194.33.45.155

64.44.118.206

185.199.103.100

If indicators of similar activity are discovered, escalate immediately for investigation. SpearTip is available to assist with log review, forensic analysis, or incident response.

Additional Context & Threat Intelligence

This advisory aligns with recent industry reporting highlighting an increase in SonicWall-targeted activity by the Akira ransomware group. Relevant threat intelligence includes:

– Arctic Wolf: https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

– BleepingComputer: https://www.bleepingcomputer.com/news/security/surge-of-akira-ransomware-attacks-hits-sonicwall-firewall-devices/

– Blackpoint Cyber: https://blackpointcyber.com/blog/blackpoint-threat-bulletin-sonicwall-firewall-appliances-targeted-by-threat-actors/

Contact SpearTip for any further assistance. We will continue monitoring developments and provide updates as new intelligence becomes available.