Update: Akira Ransomware Campaign Exploits Known SonicWall Vulnerability and Misconfigured Migrations
New evidence has clarified that the recent surge in Akira ransomware attacks targeting SonicWall Gen 7 firewalls is not due to a zero-day exploit as initially feared. Instead, SonicWall has confirmed that the intrusion activity is strongly correlated with CVE-2024-40766, a previously disclosed and patched vulnerability affecting SonicOS 7.0.1-5035 and earlier. Although some of the impacted environments were fully patched and had MFA enabled, the root cause in many cases appears to be misconfiguration during migrations from Gen 6 to Gen 7 devices. Specifically, legacy local user credentials were retained during these transitions instead of being reset as recommended, creating a persistent security gap that attackers have been able to exploit. The campaign, which began around July 15, 2025, has involved fewer than 40 confirmed breaches to date; however, attackers have moved quickly from initial access to full compromise. The Akira affiliates rely on legacy credentials, often in environments with misapplied MFA, to gain VPN access and then deploy persistence mechanisms, including Cloudflared tunnels, SSH, and remote monitoring tools. Huntress and GuidePoint Security have observed roughly 20 incidents with overlapping TTPs, and both firms have released IOCs for detection. SonicWall is urging all customers to upgrade to SonicOS 7.3.0, which includes mitigations for brute-force and MFA-bypass attempts, enforces password complexity, resets local user accounts with VPN access, and enables protections including Geo-IP filtering and botnet defenses. Misconfigurations introduced during Gen 6-to-Gen 7 migrations have become the primary weakness exploited in these attacks, underscoring the operational risks associated with incomplete hardening after system upgrades.
Hackers Use Zoom and Teams Traffic to Hide Activity Post-Compromise
A newly discovered technique, known as "Ghost Calls," enables attackers to secretly control infected machines by blending their malicious traffic into the standard data flow of popular video conferencing platforms, including Zoom and Microsoft Teams. The method works by exploiting TURN (Traversal Using Relays around NAT) servers, which are typically used by these platforms to help users connect across firewalls during video calls. When someone joins a meeting, the conferencing app provides temporary connection credentials. Attackers can intercept or hijack these credentials and use them to set up encrypted communication channels between themselves and the compromised system. This technique only works after an initial compromise, as it requires the attacker to have control of the device already to abuse the synchronization server and extract credentials or certificates. To demonstrate this method, researchers from Praetorian built a tool called TURNt that uses the Ghost Calls technique. TURNt has two components: a Controller, which runs on the attacker’s system, and a Relay, which is deployed on the infected device. Together, they create a private tunnel using the TURN protocol that mimics legitimate video traffic. This tunnel supports a range of attacker-controlled actions, including port forwarding, data theft, remote desktop control, and command execution, all of which occur in real-time and are hidden within encrypted traffic. What makes this tactic more dangerous is that it doesn’t require exploiting any software vulnerabilities. Instead, it abuses the expected behavior of video conferencing platforms, making it difficult for existing security tools to recognize or block. As enterprise environments continue to rely heavily on platforms such as Zoom and Teams, defenders should begin monitoring for abnormal patterns involving TURN servers, auditing access logs from conferencing platforms, and reviewing any unexplained encrypted traffic that mimics video call behavior.
New Attack Bypasses Authentication in Hybrid Active Directory Environments
A new attack method is putting organizations at risk by exploiting the integration of traditional Active Directory (AD) environments with Microsoft’s cloud-based Entra ID. Many enterprises use Microsoft Entra Connect in its default configuration to synchronize user accounts and credentials from on-premises AD to the cloud. Outsider Security Researchers revealed that if an attacker compromises the server running Entra Connect—typically via credential theft or lateral movement—they can extract the sync service’s certificate and private key. With these, they can forge authentication tokens accepted by Entra ID, enabling them to impersonate any user, including administrators, without needing credentials or triggering multifactor authentication or conditional access policies. This attack does not require specific software vulnerabilities or misconfiguration and can be executed against any environment using standard hybrid identity setups. Once inside, attackers can escalate privileges, impersonate users, and access Microsoft 365 services using these forged tokens. They can also abuse Exchange Online to obtain service-to-service (S2S) tokens that grant full mailbox access without generating logs, remaining valid for 24 hours. Through the Graph API, attackers can disable security enforcement, insert persistent backdoor credentials, or inject attacker-controlled keys into SSO, thereby enabling long-term access that persists even after key rotations. While Microsoft has addressed parts of this attack chain by revoking excessive Graph API permissions and tightening soft match behavior, the complete protection depends on isolating hybrid Exchange and Entra services, which will only become mandatory in October 2025. Until then, any organization using Entra Connect without hardened identity controls remains vulnerable. Defenders should audit sync servers for certificate exports, enforce hardware-backed key storage, monitor Graph API activity, and enable detailed logging on all hybrid authentication flows.
Update: Ransomware Operators Use Vulnerable Drivers to Disable Defenses
Since late 2024, ransomware groups have widely adopted Bring Your Own Vulnerable Driver (BYOVD) techniques to disable antivirus and EDR systems before launching encryption payloads. One of the most commonly abused drivers is ThrottleStop[.]sys, a legitimate Intel performance tuning tool. Threat actors rename it (rwdrv[.]sys or ThrottleBlood[.]sys) and load it using expired or stolen code-signing certificates to bypass driver protections. Once loaded, the driver allows direct access to system memory and kernel functions. Attackers pair it with a secondary payload, often named All[.]exe or AVKiller, which injects malicious code into the Windows kernel and targets security processes for termination. These tools maintain stability by restoring system code after execution to avoid crashes or alerts. AV/EDR Killers are often packed with HeartCrypt to evade static detection and use spoofed drivers including mraml[.]sys or noedt[.]sys to impersonate legitimate software, further helping it avoid detection by EDR tools. This activity is strictly post-compromise; attackers already have access to the system when these tools are deployed, usually by exploiting weak/stolen credentials or known vulnerabilities. Once inside, they move laterally, create admin accounts, and upload the AV killer and ransomware to inconspicuous directories, including user music or picture folders. The malware then cycles through running processes, using Windows system calls to kill any services on its hardcoded list of antivirus and EDR services. It targets vendors including Microsoft, Kaspersky, Sophos, Bitdefender, and CrowdStrike. These techniques have been observed in real-world campaigns linked to ransomware groups, including Akira, Medusa, INC, RansomHub, Qilin, and others, across victims in Brazil, Ukraine, Belarus, Kazakhstan, the U.S., and Russia. Because most AV-killing occurs silently at the kernel level, traditional endpoint tools without strong self-protection are often disabled before encryption starts. To reduce exposure, organizations should enforce Microsoft’s driver blocklist using HVCI or WDAC, restrict RDP access, remove unused local accounts, and deploy endpoint solutions that can resist kernel-level tampering and detect unsigned or suspicious driver activity.
