Ransomware spike tied to suspected SonicWall zero‑day exploitation

Summary: Researchers report a marked uptick in Akira ransomware intrusions aligned with mass exploitation of a suspected zero‑day in certain SonicWall edge devices. Attackers are leveraging the network perimeter access to establish footholds, pivot across VPN user contexts, and deploy double‑extortion payloads. Indicators include unusual management interface probing, anomalous VPN session creations, and rapid deployment of credential access tooling. Organizations with exposed SonicWall services should immediately restrict management plane exposure, update to the latest firmware, and hunt for post‑exploitation artifacts across VPN, SSL‑VPN bookmarks, and audit logs.

Threat overview and targeting

Security teams observed coordinated intrusions targeting SonicWall appliances that led to Akira ransomware deployment. The activity pattern suggests adversaries are exploiting an authentication or management‑plane weakness to gain administrative control, then abusing VPN features to move laterally and stage encryption operations.

Likely attack chain

• Initial access via suspected zero‑day on the appliance management or authentication surface, yielding administrative or root‑level control.
• Establishment of persistence by creating rogue admin accounts, modifying VPN bookmarks or portal pages, and planting webshell‑like handlers where applicable.
• Credential harvesting from connected directory services and reuse across Windows domains via SMB, RDP, or remote management channels.
• Lateral movement and staging using commodity tools (e.g., PSExec‑style techniques) followed by data exfiltration to actor‑controlled infrastructure.
• Ransomware execution with service tampering and shadow copy deletion, culminating in double‑extortion pressure.

Forensic and telemetry clues

• Unexpected access to the SonicWall admin interface from atypical IPs or geographies, especially outside maintenance windows.
• New VPN accounts, altered MFA enforcement, or unexplained VPN policy/bookmark changes.
• Spikes in SSL‑VPN logins followed by Kerberos failures and then successful authentications from new endpoints.
• Creation of domain admin‑level sessions shortly after device management events, suggesting credential reuse.
• Rapid file rename and encrypt operations on file servers with concurrent command execution from a limited set of jump hosts.

Mitigation and hardening actions

• Immediately disable public exposure of the management plane; restrict access via allowlisted admin networks and enforce MFA.
• Apply the latest SonicWall firmware and hotfixes; monitor vendor advisories for patches that address authentication or session handling.
• Rotate privileged credentials integrated with the appliance (LDAP/AD binds, local admins), and invalidate all active VPN tokens and sessions.
• Audit for unauthorized admin users, altered VPN objects, and file integrity changes on the device filesystem.
• Implement network segmentation for VPN user pools; require device posture checks before granting access to sensitive network zones.
• Hunt for living‑off‑the‑land binaries execution (WMIC, PowerShell, PsExec‑like tools) and anomalous backup deletion activity.

Detection engineering tips

• Create alerts for SonicWall admin logins from new ASNs, new countries, or outside standard hours.
• Correlate VPN session creation with domain authentication sequences and subsequent lateral movement events.
• Detect mass file modifications with high entropy outputs, plus disablement of security services within short intervals.
• Baseline normal VPN bookmark and portal configuration changes; alert on any deviation.

Incident response considerations

• Treat the edge device as untrusted until rebuilt; consider full firmware reimage and configuration re‑provisioning from a known‑good baseline.
• Assume credential theft; perform staged credential rotations prioritizing service accounts and privileged identities.
• Use packet captures and NetFlow around the device to identify data exfiltration channels and C2 infrastructure.

SharePoint flaw under active exploitation linked to ransomware extortion attempts

Summary: Multiple organizations report intrusions initiated via a widely exploited SharePoint vulnerability, followed by data theft and ransom demands. Post‑compromise activity includes webshell deployment on vulnerable SharePoint servers, rapid account enumeration, and use of native Windows tooling to stage exfiltration and privilege escalation. Admins should prioritize patching, scan for residual webshells, and validate Microsoft 365 and on‑prem identity hygiene due to frequent hybrid trust abuse.

Exploitation pattern

Attackers send crafted HTTP requests to vulnerable SharePoint endpoints to achieve remote code execution. Successful exploitation typically drops small, obfuscated ASPX webshells to writable paths, enabling persistent command execution under the web worker context.

Post‑exploitation techniques

• Local privilege escalation to SYSTEM on the SharePoint host using known Windows escalation primitives.
• Credential dumping from LSASS and SharePoint service accounts, enabling lateral domain compromise.
• Discovery of file shares and SharePoint content databases to identify exfiltration targets.
• Data staging to temporary directories and exfiltration over HTTPS using curl or certutil‑style transfers.
• Subsequent ransom notes delivered via email and on compromised web portals.

What to patch and verify

• Apply the latest cumulative updates for SharePoint Server across all farm nodes and front‑ends.
• Disable legacy authentication paths and enforce Conditional Access for administrative roles.
• Review IIS logs for anomalous POSTs to .aspx endpoints, especially with unusual user agents and high‑frequency access.
• Scan webroots and temp paths for webshell indicators, including small files with randomized names and minimal code footprint.

Detection guidance

• Alert on execution of scripting engines and compilers on SharePoint servers (powershell.exe, csc.exe, msbuild.exe).
• Correlate anomalous service account logins with file access spikes on document libraries and SMB shares.
• Employ YARA or content scanning for common webshell code patterns in ASP.NET files.

Recovery and hardening

• Remove any unauthorized modules and re‑deploy clean application packages.
• Rotate service account passwords and reissue certificates used by the SharePoint farm.
• Enable just‑enough admin for SharePoint and monitor privileged sessions with session recording where possible.

Fake Microsoft OAuth apps used for M365 account takeover via MFA phishing

Summary: Threat actors are deploying malicious OAuth applications impersonating services like RingCentral and SharePoint to trick users into granting high‑privilege API scopes, bypassing traditional credential theft and MFA. Campaigns rely on consent phishing delivered through email and crafted tenant branding to achieve persistent access to mailboxes, files, and Teams chats. Immediate steps include tightening app consent policies, enabling publisher verification, and reviewing tenant‑wide OAuth grants.

Tactics and social engineering

Adversaries send emails prompting users to authorize an app that appears legitimate. The consent screen requests scopes such as Mail.ReadWrite, Files.ReadWrite.All, and offline_access. Once granted, attackers obtain refresh tokens that persist beyond password changes and can programmatically access data via Microsoft Graph.

Kill chain and persistence

• Phishing email or in‑app notification directs users to Azure AD consent URL with a malicious app ID.
• User grants consent, issuing access and refresh tokens tied to the app’s service principal.
• Actor harvests tokens and automates mailbox and file access, sets hidden inbox rules, and exfiltrates data.
• Persistence maintained via long‑lived refresh tokens and re‑consent prompts if policies allow user consent.

Defensive configurations

• Disable user consent to apps or restrict to verified publishers with admin approval workflows.
• Enable Conditional Access for OAuth app access, requiring compliant devices and monitored locations.
• Turn on app consent grant alerts and review risky OAuth applications in the portal.
• Implement token protection features and continuous access evaluation where available.

Detection and response

• Alert on creation of new service principals and risky OAuth grants with high‑impact scopes.
• Hunt for anomalous Graph API usage, large message enumeration, and hidden mail rules on VIP accounts.
• On compromise, revoke app permissions, invalidate refresh tokens, and rotate secrets/certificates for impacted apps.

User awareness focus

Educate users to scrutinize app consent prompts, especially when scopes include organization‑wide read/write or offline access. Reinforce that MFA does not protect against malicious consent to a rogue app requesting broad permissions.

INC Ransom claims data theft tied to legacy assets of 99 Cents Only

Summary: The INC Ransom group posted that it exfiltrated approximately 1.2 TB of data it associated with Dollar Tree; however, the data is reportedly tied to assets from the shuttered 99 Cents Only chain acquired during bankruptcy proceedings. The incident underscores risk concentration in post‑bankruptcy asset transfers, where inherited endpoints, leases, and IT remnants can harbor unmaintained systems and exposed data.

Context and asset lineage

Following the closure of 99 Cents Only stores, portions of its leases, IP, and equipment transitioned to a different operator. Legacy IT artifacts, backups, or unmanaged endpoints may have persisted outside of centralized controls, providing an opportunistic target for data theft and extortion.

Threat actor narrative and leverage

INC Ransom leveraged brand confusion to maximize pressure, attributing the breach to the acquiring company despite the data originating from the legacy environment. Such tactics aim to expedite payment by threatening disclosure of employee information and internal documents.

Risk management for M&A and bankruptcy scenarios

• Conduct pre‑acquisition technical due diligence, including external attack surface mapping and credential exposure audits.
• Isolate and reimage inherited devices; decommission unneeded infrastructure and sanitize storage assets before redeployment.
• Review historical backup sets, third‑party SaaS tenants, and identity providers for orphaned accounts and excessive privileges.
• Establish clear public communication separating legacy incidents from current operations to reduce extortion leverage.

Detection and legal considerations

• Monitor for access attempts against legacy domains and VPNs; set traps using honey credentials to detect probing.
• Coordinate with counsel on data ownership, breach notification triggers, and contractual obligations tied to acquired assets.

DOJ settles with Illumina over alleged sale of systems with known vulnerabilities

Summary: The U.S. Department of Justice reached a $9.8 million settlement resolving allegations that a genomics vendor sold sequencing systems to federal agencies while aware of unresolved software vulnerabilities. The case highlights federal procurement expectations around secure development lifecycle, vulnerability remediation timelines, and attestation accuracy for products used in sensitive environments.

Allegations and compliance themes

Authorities alleged the company provided systems with security flaws and insufficient disclosure or remediation, raising False Claims Act considerations when vendors certify compliance with security requirements. The settlement emphasizes the materiality of cybersecurity posture to purchasing decisions in federal contexts.

Implications for suppliers of cyber‑physical systems

• Maintain documented secure development lifecycle practices and timely patch management, especially for embedded/medical‑adjacent devices.
• Ensure vulnerability disclosure transparency to customers and agencies, including interim mitigations and upgrade paths.
• Align attestations with reality; inaccuracies in SBOMs, patch status, or control coverage can create enforcement risk.

Buyer due diligence checkpoints

• Request detailed vulnerability remediation histories and end‑of‑support timelines.
• Validate device isolation requirements, logging capabilities, and remote support access controls before deployment.

Palo Alto Networks to acquire CyberArk in a landmark identity security deal

Summary: A proposed $25 billion acquisition would combine a leading network and cloud security portfolio with a top privileged access and identity security platform. The move reflects the centrality of identity in both offensive tradecraft and defensive architecture, and signals consolidation around end‑to‑end identity threat detection, PAM, secrets management, and just‑in‑time access.

Strategic rationale

Identity has become the dominant control plane as attackers exploit credential theft and session hijacking to bypass perimeter defenses. Integrating privileged access, machine identity security, and cloud entitlement analytics with network and endpoint telemetry enables unified policy and response.

Customer impact and integration considerations

• Potential for native integrations between PAM vaulting, EPM, and network policy enforcement to contain lateral movement.
• Convergence of human and machine identity governance, including secrets rotation for service principals and CI/CD pipelines.
• Short‑term overlap across product lines may require careful roadmap clarity to avoid control gaps during migration.

Market implications

The deal intensifies competition among platforms seeking to unify SIEM, XDR, SSE, and identity. It may trigger further consolidation as vendors broaden coverage of identity threat detection and response.

Scattered Spider adapts playbook amid ecosystem shifts

Summary: Information‑sharing groups warn that Scattered Spider adversaries continue to refine social engineering and identity compromise techniques, including deepfake‑assisted voice vishing, SIM swap workflows, and help‑desk manipulation. Despite turbulence from law enforcement actions against other gangs, the group retains experienced affiliates and rapidly pivots tooling to sustain high‑impact intrusions.

Tradecraft updates

• Use of synthetic voice to impersonate executives in calls to support desks, coercing MFA resets and enrollment changes.
• Targeting of identity providers with conditional access gaps, exploiting legacy protocols and weak enrollment verification.
• Rapid adoption of new initial access brokers and turnkey infostealers to replenish credentials.

Defensive countermeasures

• Out‑of‑band identity verification for help‑desk actions impacting MFA or password resets.
• Blocking legacy authentication, enforcing number‑matching MFA, and restricting enrollment to managed devices.
• Real‑time monitoring for SIM swap indicators and sudden device change events on privileged accounts.

CISA’s JCDC faces staffing challenges as contracts lapse

Summary: The Joint Cyber Defense Collaborative reportedly experienced significant personnel attrition, compounding broader resource headwinds at the agency. Reduced staffing could slow joint advisories, incident coordination tempo, and cross‑sector engagement during periods of heightened threat activity, placing more burden on ISACs and private responders.

Operational impact

Fewer analysts and liaisons may elongate response cycles for large‑scale vulnerabilities and campaigns, and reduce capacity for proactive hunting or technical guidance. Private sector partners may need to fill gaps with bilateral sharing and ad hoc trust groups to sustain information flow.

Mitigation for stakeholders

• Strengthen sector ISAC participation and automate indicator sharing via STIX/TAXII to reduce manual overhead.
• Develop internal playbooks that do not assume immediate federal surge support for incident coordination.
• Invest in cross‑company exercises to validate mutual aid mechanisms during critical patching windows.