Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients

Update, September 18: MySonicWall Breach Update - Immediate Action Required

SonicWall confirmed on September 17, 2025 that attackers accessed firewall configuration backup files in MySonicWall accounts, exposing credentials and network details that could accelerate the ransomware attacks we’ve been tracking.

Check your MySonicWall.com account immediately, any affected serial numbers will show notification banners. If flagged, follow SonicWall’s credential reset guidance across all 7 categories they’ve outlined, starting with core authentication systems.

This breach amplifies the risks from the Akira and Sinobi campaigns discussed below. Even if unaffected, use this as your catalyst to implement comprehensive security hardening.

We’re monitoring the situation and will update as needed.

Update, September 15:

Over the past few months, the Akira and Sinobi ransomware groups have carried out sophisticated attack campaigns targeting SonicWall SSL VPNs and other firewall VPNs at significant scale. This continued wave of attacks and their specific attack techniques demonstrate why a layered security approach across prevention, detection, and response is essential.

The Threat

Akira and Sinobi ransomware groups are key players in the evolution of cybercrime as attackers adapt to defender capabilities, now focusing on data theft and extortion (DTE) attacks. These attacks differ from traditional ransomware attacks in that adversaries focus on accessing victim environments to identify sensitive and potentially damaging information for victims, if leaked. Notably, they then extract and steal this information before deploying ransomware as a mechanism to extort and pressure victims to pay.

This continued shift towards DTE demands that cyber defenders adapt their own defenses to focus on restricting access and movement within environments, increase observability across system, cloud, identity, and network ecosystems, and work to prevent data exfiltration in addition to system disruption experienced by system encryption via ransomware.

To support this adaptation, we unpack how specific Todyl Platform capabilities can protect against each stage of these observed attacks and the evolving attack techniques of Akira and Sinobi:

Prevention: Reducing Your Attack Surface

SASE Static IPs and Conditional Access

‍Lock down firewall administrative interfaces using Todyl SASE's static IP egress capabilities. By restricting admin access to only come from known Todyl SASE exit points, you eliminate the ability for external threat actors to brute force credentials or to use stolen credentials from arbitrary internet locations. Combine this with conditional access policies that verify device identity, user authentication, and geographic location before allowing administrative connections. Todyl also strongly encourages leveraging  MFA with O365 identity integrations to further strengthen security postures.

Secure Cloud and SaaS Application Access‍

Lock down IaaS and PaaS environments such as AWS, Microsoft Entra, and Google Cloud to only authorized systems and IP ranges, using Todyl SASE and Static IPs. This additional protection secures access to sensitive data that may be held within those ecosystems. Additionally, enumerate and secure access to key business applications, such as O365, CRMs, Gsuite, Github, SAP, etc using Todyl SASE’s Static IP to further secure these applications from unauthorized access.

Zero Trust Network Access (ZTNA)

Replace traditional VPN connections with identity-based access control. Even if credentials are compromised, ZTNA ensures attackers can only access specifically authorized resources based on user identity and device posture—not broad network segments.

Application Blocklisting via EDR

Define unauthorized or unused applications such as unauthorized remote management tools, file sharing solutions, and other legitimate applications that could be used to exfiltrate data or enable backdoor access to environments. Akira and Sinobi both leverage legitimate RMM, file sharing, and other solutions to maintain persistence and support data exfiltration. Preventing installation and use of these also reduces risk across ecosystems.

Least Privilege of Shared Accounts

A common tactic is for the threat actor to leverage compromised credentials in LDAP to enumerate other devices within a network, helping them identify where to spread laterally. Ensure that you follow password best practices by not reusing the same passwords across your admin accounts, as well as considering the use of specific administrator and service accounts unique to privileged rights and access for certain applications and functions. Leverage Todyl’s SASE NGFW rules to apply Role Based Access Control across key administrators, service accounts, and user groups. These rules can also include restrictions to only use allowed ports, protocols, and services, limiting lateral movement and environment enumeration or pivoting throughout a potentially compromised environment,

Apply Network Segmentation: Leverage LAN Zero Trust to microsegment the network, thereby limiting potential for lateral movement or malware propagation. By restricting network connectivity between devices and network segments, crown jewel systems holding sensitive information can be proactively isolated and protected from access, further securing any desireable or sensitive information that may live on them.

Detection: Rapid Threat and Risk Identification

Integrated SIEM Analytics and Correlation

Todyl SIEM's detection rules automatically correlate authentication logs with endpoint and network activity. Additionally, SIEM ensures full observability across environments to include network, cloud, identity, and other key integration points to identify potential compromise of data or systems not managed or covered by the firewall VPN. This helps identify successful credential compromises faster, detecting patterns like:

• Multiple failed authentication attempts followed by successful login
• Administrative access from unusual geographic locations or devices
• Rapid enumeration of network resources post-authentication
• Shifts in technology environment indicative of threat actors installing their own tools

Behavioral Analytics Across the Kill Chain

ML-driven detection identifies the rapid reconnaissance and lateral movement patterns characteristic of these ransomware groups. The platform correlates activities across endpoints, network traffic, and cloud applications to detect attack progression even when individual actions appear benign.

Response: Automated Containment

SOAR Automated Response Playbooks

Deploy pre-configured playbooks that automatically execute containment actions when specific threat indicators are detected:

• Immediately disable compromised user accounts
• Isolate affected endpoints from network resources
• Block suspicious file transfers or data exfiltration attempts
• Escalate critical incidents to the MXDR team

LAN Zero Trust Lateral Movement Prevention

LAN Zero Trust operates as a software-defined firewall on each device, denying all inter-device communications by default unless explicitly permitted by policy. When properly configured, this architecture fundamentally prevents the lateral movement that ransomware groups depend on. Even if attackers compromise one endpoint through credentials, they cannot automatically spread to other systems—each connection attempt is evaluated against specific allow rules rather than relying on traditional network trust assumptions.

24x7 MXDR Expert Response

‍Todyl MXDR provides immediate expert analysis and response guidance. When indicators of compromise or attack are detected, dedicated analysts investigate the full scope of compromise and provide specific remediation steps—critical given the speed at which these ransomware groups operate.

Integrated Platform Advantage

The key differentiator is how these capabilities work together through a single agent and management interface. When a compromise occurs, the integrated platform can:

1. Prevent attacks by reducing attack surface area with SASE’s identity integration
2. Immediately contain the threat through automated SOAR responses
3. Prevent lateral movement using LAN Zero Trust microsegmentation
4. Control data access through SASE conditional access policies that verify user and device identity before allowing access to sensitive resources
5. Provide full visibility into attack progression across all security telemetry, including anomaly detections to identify shifts in ITops software
6. Enable rapid response with expert MXDR guidance and pre-built remediation playbooks

This integrated approach transforms what would typically be a successful ransomware deployment into a contained security incident with minimal business impact.

SonicWall SSL Vulnerability

Over the past few days, the cybersecurity community has been buzzing about a SonicWall vulnerability that ransomware groups, including Akira, have been actively exploiting. While initial reports suggested a zero-day threat affecting even fully patched systems, the situation has been clarified—but the risk remains very real.

What We Know Now

The threat centers around CVE-2024-40766, a known vulnerability that affects SonicWall Gen 6 to Gen 7 firewall migrations. The vulnerability occurs specifically when local user passwords were carried over during migration and not reset, potentially leading to unauthorized resource access and system crashes.

According to SonicWall's official guidance, this isn't the zero-day many initially feared, but it's still being actively exploited by threat actors who use it to establish initial access to victim environments.

Why This Matters for MSPs

The Akira ransomware group and others are opportunistic, focusing on financial gain rather than targeting specific organizations. This puts SMBs and mid-market companies—and the MSPs who serve them—at heightened risk, especially given the common use of SonicWall network security solutions in these markets.

Akira employs double extortion techniques, stealing sensitive data before deploying ransomware. This creates additional pressure on victims to pay—not just to unlock encrypted data, but to prevent the leak of confidential information.

The Broader Security Challenge

This incident highlights a critical blind spot: organizations that focus primarily on endpoint and backup-centric defenses often miss intrusion attempts, unauthorized system access, and data exfiltration happening at the network level.

When threat actors gain initial access through vulnerabilities like this one, they move quickly. The window between initial compromise and ransomware deployment is often measured in hours, not days.

How Todyl Helps Mitigate These Risks

Our platform is designed to address exactly these types of multi-vector attacks:

Immediate Detection and Response

• Our MXDR team continuously monitors and hunts for threat actor activity specifically related to SonicWall vulnerabilities
• Our teams are working around the clock to keep you and your clients safe
• Detection Engineering and MXDR teams are prepared to update rules within the Todyl Platform as needed

Network-Level Protection

• Todyl SASE can serve as an alternative VPN solution while SonicWall vulnerabilities are addressed
• Conditional access policies restrict access to only protected devices
• Network segmentation through LAN Zero Trust prevents lateral movement and ransomware spread

Comprehensive Visibility

• SIEM integration provides unified visibility across all security tools and data sources
• EDR/NGAV in prevent mode stops malicious activity before it can cause damage
• Application blocklist policies prevent unauthorized remote access tools commonly used in attacks

Todyl's Mitigation Recommendations

Our Field CISO and Security teams recommend the following steps to mitigate the risks of initial access, data exfiltration, and ransomware deployment:

1. Apply any recommended SonicWall remediation steps
2. Enable MFA for locally managed SSL VPN accounts - this appears to be the primary initial vector for CVE-2024-40766
3. Consider temporarily disabling SonicWall VPN services and enabling Todyl SASE as an always-on VPN until full root cause analysis and patching is complete
4. Apply conditional access policies using Todyl SASE NGFW to restrict access to only Todyl protected devices
5. Enforce MFA by policy for all users via Todyl SASE, especially for access to sensitive or mission critical systems
6. Restrict internal access via Todyl SASE to sensitive systems using least privilege principles
7. Ensure EDR/NGAV policies are in Prevent mode and apply application blocklist policies for unapproved remote management tools
8. Apply network segmentation through LAN Zero Trust to prevent lateral movement and ransomware spread
9. Ensure Todyl SIEM ingests all available integration data, especially from systems that monitor or hold sensitive information
10. Hunt for indicators of compromise or leverage Todyl MXDR for continuous monitoring and investigation
11. Review incident response plans and ensure backups and disaster recovery plans are current and maintained

The Bottom Line

While this SonicWall vulnerability has been clarified and isn't the zero-day initially feared, it demonstrates why layered security and continuous monitoring are essential. Threat actors are constantly looking for ways to establish initial access, and they move fast once they're in.

The organizations that weather these storms best are those with comprehensive security platforms, proactive monitoring, and rapid response capabilities in place before an incident occurs.

Need Help?

If you have questions about this threat or want to discuss how Todyl can help protect your clients from these types of attacks, reach out to your Channel Account Manager. Our team is here to help you navigate these challenges and keep your clients secure.