New VPN Attack Warning — What You Need To Know

Forbes

3 days ago

Virtual Private Networks have been the subject of myriad news headlines recently after the U.K. government's Online Safety Act put in place age-verification requirements for sites with adult content. The humble VPN, often associated with advertising persuading users that it's something necessary to protect against hackers on trains, at airports and in coffee shops, but most commonly used to bypass geographic content streaming restrictions, is not just a consumer app. VPN appliances are used for grown-up, serious security purposes within enterprises around the globe. So, when researchers issue a warning of a potential VPN attack, it's not something that can be dismissed. Here's what you need to know.
VPN Security Has A History Of Compromise
Let's get the virtual elephant out of the private networking room before moving on to the latest VPN warning. A VPN app, far from being a security silver bullet, can actually just be an extension of your threat surface. How many examples would you like me to provide as evidence of this? I'll throw Google's warning about a backdoor bundled with a free VPN app into the ring for starters, or how about the FBI warning concerning Medusa ransomware compromising VPN credentials? One more? OK, the recent Katz Stealer warning as this threat also targeted VPN credentials.
The latest VPN security warning comes from Julian Tuin, a senior threat intelligence researcher at Arctic Wolf Labs, who has confirmed that 'an increase in ransomware activity targeting SonicWall firewall devices for initial access,' has been observed late in July. More specifically, Tuin said, 'multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs.'
While there can, and should, be questions asked as to whether these attacks could have occurred thanks to brute force or credential stuffing methods in at least some cases, Tuin warned that the 'available evidence points to the existence of a zero-day vulnerability.' Not least as some of the SonicWall devices were fully security patched and had also had credential rotation applied before the attacks took place. 'Despite TOTP MFA being enabled,' Tuin said, 'accounts were still compromised in some instances.'
I have reached out to SonicWall for a statement and will update this article in due course.
Mitigating The Potential For VPN Attack
Given that the Artic Wolf report revolves around a spike in attacks involving the Akira Ransomware group, known to have compromised more than 300 organizations and with some very high-profile names published to the hacker's data leak site listings, the threat should not be taken lightly. Throw in the fact that SonicWall only recently issued a warning regarding the CVE-2025-40599 vulnerability in SMA 100 appliances, which could see remote code execution if successful, and you would be foolish not to at least mitigate against the potential of attacks.
'Given the high likelihood of a zero-day vulnerability,' Tuin said, 'organizations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.'
Meanwhile, SonicWall has previously said that organizations should harden defenses, including security services such as botnet protection that can help detect those targeting SSL VPN endpoints, as well as enforcing multi-factor authentication.