For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 Threat Report - October 1st, 2025

Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less

An aggressive Akira ransomware campaign, active since late July 2025, targets SonicWall firewalls through malicious SSL VPN logins, often bypassing One-Time Password (OTP) Multi-Factor Authentication. This activity is linked to prior exploitation of CVE-2024-40766, an improper access control vulnerability affecting SonicOS versions 6 and 7. Upon gaining initial access, threat actors rapidly perform internal network scanning using tools like SoftPerfect Network Scanner and Advanced IP Scanner, and utilize the Impacket library for SMB activity and lateral movement via RDP. Active Directory enumeration is conducted with built-in tools and specialized utilities such as SharpShares, NetExec, BloodHound, and ldapdomaindump. A key tactic involves extracting Veeam Backup & Replication credentials from SQL or PostgreSQL databases using a custom PowerShell script that decrypts DPAPI secrets and temporarily modifies PostgreSQL configurations. For persistence and command and control, attackers create local and domain administrator accounts, install RMM tools like AnyDesk, TeamViewer, and RustDesk, and establish SSH reverse tunnels or Cloudflare Tunnels using `cloudflared`. Defense evasion techniques include disabling legitimate RMM tools, deleting Volume Shadow Copies, disabling User Account Control, and attempting to disable EDR and Windows Defender. A sophisticated Bring-Your-Own-Vulnerable-Driver (BYOVD) technique is employed, using Microsoft-signed `consent.exe` to load malicious DLLs (`wmsgapi.dll`, `msimg32.dll`) that deploy vulnerable drivers (`rwdrv.sys`, ``churchill_driver.sys`)` to tamper with Windows Access Control Lists and neutralize security software. Data staging involves WinRAR for archiving, followed by exfiltration using `rclone` or FileZilla to virtual private server infrastructure. Ransomware deployment, typically within four hours of initial access, uses executables like `akira.exe` or `locker.exe` to encrypt drives and network shares. To mitigate these threats, organizations should reset all SSL VPN and associated Active Directory credentials on SonicWall devices that ran vulnerable firmware, monitor for VPN logins originating from untrusted hosting infrastructure and anomalous Impacket SMB activity, block logins from non-business regions and VPS providers, and consider implementing SSO/SAML for VPN authentication and App Control for Business (WDAC) to restrict execution from untrusted paths and enforce kernel-mode code integrity.

Severity: Critical

Sources

Threat Details and IOCs

Malware:Akira, Akira v2, Akira_v2, CHILLYHELL, Fog, Impacket, Lost in the Fog, Malware Families Associated with Storm-1567, MATANBUCHUS, Megazord, OVERSTEP, Ransomware, REDBIKE, ZynorRAT
CVEs:CVE-2019-6693, CVE-2020-3259, CVE-2021-21972, CVE-2022-40684, CVE-2023-20263, CVE-2023-20269, CVE-2023-48788, CVE-2024-37085, CVE-2024-40711, CVE-2024-40766
Technologies:Kaseya Datto RMM, Linux, Microsoft Access, Microsoft Entra ID, Microsoft Hyper-V, Microsoft Windows, Microsoft Windows Server, SonicWall Next-Generation Firewall, SonicWall SMA, SonicWall SonicOS, SonicWall SSL-VPN, SonicWall VPN, SQLite, Veeam Backup & Replication, VMware ESXi
Threat Actors:Akira, Conti, GoldSahara, Storm-1567, Storm1567, UNC5277, UNC5280, UNC6148, WIZARDSPIDER
Attacker Countries:China, Russia
Attacker IPs:104.194.11.34, 104.194.8.58, 104.238.205.105, 104.238.221.69, 107.155.93.154, 107.158.128.106, 107.175.102.58, 131.226.2.47, 144.168.41.74, 144.172.110.103, 144.172.110.37, 144.172.110.49, 155.117.117.34, 162.120.71.224, 162.210.196.101, 170.130.165.42, 172.86.116.8, 172.86.96.42, 172.96.10.212, 185.168.208.102, 185.174.100.199, 185.181.230.108, 185.33.86.2, 193.163.194.7, 193.239.236.149, 193.242.184.58, 193.29.63.226, 194.33.45.194, 194.33.45.194, 194.48.154.67, 206.168.190.143, 207.188.6.17, 216.146.25.208, 23.94.54.125, 31.222.247.64, 38.114.123.167, 38.114.123.229, 45.149.172.51, 45.55.76.210, 45.56.163.58, 45.61.157.15, 45.66.249.93, 62.76.147.106, 77.247.126.239, 79.141.160.33, 79.141.173.235, 83.229.17.123, 83.229.17.135, 83.229.17.148, 88.119.175.104, 91.191.214.170, 95.164.145.158
Attacker Domains:akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion, akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion, download.anydesk.com
Attacker URLs:https://github.com/cloudflare/cloudflared/releases/download/2025.6.0/cloudflared-windows-amd64.exe, https://github.com/cloudflare/cloudflared/releases/download/2025.6.0/cloudflared-windows-amd64.msi, hxxp://download.anydesk.com/AnyDesk.exe
Attacker Hashes:16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0, 1d967729be08ef8c4bf86874c9542b4e, 385c235f9f52c68ec4adc7ee07de26b84b108116, 6f1192ea8d20d8e94f2b140440bdfc74d95987be7b3ae2098c692fdea42c4a69, 90280056c5ad293736030e4747d80c01, a63da718219b0a4fa8161fd23e90b24bf8f2738a, acfe720d95e1adfedc4869e89930644cbd17635c121b43698bf66ff1d14e5746, bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
Victim Industries:Aerospace, Automotive, Business Services, Cloud Infrastructure, Construction, Education, Energy, Financial Services, Government, Healthcare, Information Technology, Legal and Professional Services, Logistics, Managed Service Providers, Manufacturing, Professional, Scientific, and Technical Services, Professional Services, Real Estate, Retail, Technology Hardware, Telecommunications, Transportation
Victim Countries:Australia, Brazil, Canada, Czech Republic, Denmark, Finland, France, Germany, India, Italy, Japan, Netherlands, New Zealand, Nigeria, Singapore, South Africa, Spain, Sweden, Turkey, United Arab Emirates, United Kingdom, United States, Uruguay

Mitigation Advice

  • Immediately reset passwords for all local user accounts on SonicWall firewalls configured for SSL VPN access.
  • Immediately reset passwords for all Active Directory user and service accounts that are permitted to authenticate to the SonicWall SSL VPN or are used for LDAP synchronization.
  • Create firewall rules to block all inbound and outbound traffic from the IP addresses and ASNs listed as malicious in the article's Indicators of Compromise table.
  • Use your EDR solution to run a targeted threat hunt across all endpoints for the file names, file paths, and file hashes associated with the Akira ransomware campaign as listed in the article.
  • Configure your network monitoring tools or SIEM to generate an alert for SMB session setup requests that match the signature of the Impacket library, particularly originating from the VPN client subnet.
  • Review Veeam logs for signs of compromise, such as unauthorized access to the configuration database or the execution of the credential extraction PowerShell script detailed in the article.

Compliance Best Practices

  • Initiate a project to migrate SonicWall SSL VPN authentication from local credentials and LDAP to a centralized identity provider using SSO/SAML.
  • Use an application control solution like Windows Defender Application Control (WDAC) to create and enforce a policy that blocks known vulnerable drivers, including `rwdrv.sys` and `churchill_driver.sys`.
  • Develop and deploy an application control policy to block the execution of unauthorized remote management and tunneling software, including AnyDesk, RustDesk, and Cloudflared.
  • Harden the Veeam Backup & Replication server by placing it in a secure network segment, restricting administrative access, and applying strict access controls to the underlying SQL or PostgreSQL database.
  • Analyze business requirements and implement geofencing policies on the firewall to block SSL VPN connections from countries and regions where there is no business need for access.
  • Create a custom detection rule in your EDR or SIEM to alert on the execution of PowerShell commands containing `Set-MpPreference` with parameters aimed at disabling Windows Defender's security features.
  • Design and implement a network segmentation strategy to isolate critical systems, such as domain controllers and backup servers, from general user subnets and the VPN client address pool.
  • Implement an application control policy, such as with Windows Defender Application Control (WDAC), to deny the execution of executables, scripts, and DLLs from common user-writable directories like `%ProgramData%`, `%TEMP%`, and user `Downloads` folders.

UK and US Security Agencies Order Urgent Fixes as Cisco Firewall Bugs Exploited in Wild

Cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC), have issued urgent warnings regarding active exploitation of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewall vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, by an "advanced threat actor." CISA issued an Emergency Directive, mandating federal agencies to identify affected devices, check logs for compromise, and apply Cisco's fixes within 24 hours, also requiring the removal of end-of-life ASA boxes. These flaws, when chained, allow attackers to remotely implant malware, execute commands, exfiltrate data, and gain complete control of devices. Cisco confirmed it was aware of exploitation since May, linking the activity with "high confidence" to the ArcaneDoor campaign, attributed to a state-sponsored threat group dubbed UAT4356, which previously exploited zero-day flaws in ASA and FTD firewalls in April 2024 to compromise government and telecom networks globally using bespoke tooling for espionage. This incident follows closely on the heels of another actively exploited zero-day in Cisco IOS software.

Severity: Critical

Sources

Threat Details and IOCs

Malware:ABCD ransomware, Akira, AndroxGh0st, Line Dancer, Line Runner, LINE VIPER, LockBit, LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green, RayInitiator
CVEs:CVE-2014-2120, CVE-2018-0296, CVE-2020-3452, CVE-2021-40117, CVE-2022-20829, CVE-2023-20269, CVE-2024-20353, CVE-2024-20481, CVE-2025-20333, CVE-2025-20352, CVE-2025-20362, CVE-2025-20363
Technologies:Cisco Adaptive Security Appliance, Cisco Firepower Threat Defense (FTD), Cisco Firepower Threat Defense Software, Cisco IOS, Cisco IOS XE Software, Cisco IOS XR Software, Cisco Secure Firewall ASA Software
Threat Actors:AndroxGh0st, LockBit, Storm-1567, Storm1849, STORM-1849, UAT4356, Xcatze
Attacker Countries:Brazil, China, Russia
Attacker Domains:ocserv.openconnect-vpn.net
Attacker URLs:https://github.com/jbaines-r7/theway, https://github.com/yassineaboukir/CVE-2018-0296, https://ocserv.openconnect-vpn.net
Victim Industries:Education, Energy, Financial Services, Government, Healthcare, Manufacturing, Retail, Telecommunications, Transportation
Victim Countries:Australia, Canada, Germany, United Kingdom, United States

Mitigation Advice

  • Inventory all network devices to identify Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) models.
  • Apply the patches released by Cisco for vulnerabilities CVE-2025-20333 and CVE-2025-20362 on all identified Cisco ASA and FTD firewalls immediately.
  • Analyze firewall logs on all Cisco ASA and FTD devices for indicators of compromise associated with the ArcaneDoor campaign, such as unexpected reboots, unauthorized configuration changes, or suspicious outbound connections.
  • Immediately identify and remove any Cisco ASA devices that are at or near their end-of-life date from the network.

Compliance Best Practices

  • Evaluate and develop a strategy to diversify network security vendors for critical perimeter devices to avoid over-reliance on a single manufacturer.
  • Implement a formal asset lifecycle and patch management policy that mandates regular hardware refresh cycles and enforces strict timelines for applying critical security patches.
  • Design and implement a network segmentation architecture to isolate critical server environments from user workstations and other less-sensitive network zones.
  • Deploy egress traffic filtering rules on the network perimeter to block all outbound traffic by default and only allow connections necessary for business operations.

Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware

Threat actors, attributed to the suspected China-linked group UAT4356 (Storm-1849) and the ArcaneDoor cluster, have exploited zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices since May 2025, targeting government agencies. These attacks leverage CVE-2025-20362 (CVSS 6.5) and CVE-2025-20333 (CVSS 9.9) to bypass authentication and execute malicious code, deploying sophisticated, previously undocumented malware families: RayInitiator and LINE VIPER. RayInitiator is a persistent GRUB bootkit that survives reboots and firmware upgrades, sometimes modifying ROMMON on older, end-of-support ASA 5500-X models lacking Secure Boot, to load LINE VIPER. LINE VIPER, a user-mode shellcode loader, enables command execution, packet capture, VPN authentication bypass, syslog suppression, CLI command harvesting, and delayed reboots, communicating via WebVPN/HTTPS or ICMP/raw TCP, and employs advanced evasion techniques like modifying the "lina" binary. Cisco has released patches for these and a third critical flaw, CVE-2025-20363 (CVSS 8.5/9.0), urging organizations to update their Cisco ASA and FTD products to counter these threats.

Severity: Critical

Sources

Threat Details and IOCs

Malware:Line Dancer, LINE VIPER, RayInitiator
CVEs:CVE-2025-20333, CVE-2025-20362, CVE-2025-20363
Technologies:Cisco Adaptive Security Appliance, Cisco Firepower Threat Defense (FTD), Cisco Firepower Threat Defense Software, Cisco IOS, Cisco IOS XE Software, Cisco IOS XR Software
Threat Actors:Storm1849, UAT4356
Attacker Countries:China
Victim Industries:Cloud Infrastructure, Government, Telecommunications
Victim Countries:Australia, Canada, United Kingdom, United States

Mitigation Advice

  • Immediately create an inventory of all Cisco ASA, FTD, IOS, IOS XE, and IOS XR devices on the network to identify potentially affected systems.
  • Apply the latest security patches from Cisco to all identified Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) devices to mitigate CVE-2025-20362 and CVE-2025-20333.
  • Apply the latest security patches from Cisco to all identified ASA, FTD, IOS, IOS XE, and IOS XR devices to mitigate the critical remote code execution vulnerability CVE-2025-20363.
  • Analyze network traffic logs for unusual ICMP traffic paired with raw TCP responses or suspicious WebVPN client authentication sessions over HTTPS, which are indicators of LINE VIPER C2 communications.
  • Review system logs on all Cisco ASA devices for evidence of compromise, such as unexplained reboots, gaps in logging, or unauthorized configuration changes.

Compliance Best Practices

  • Develop and execute a phased plan to replace all End-of-Support (EoS) Cisco ASA 5500-X series firewalls with modern devices that support features like Secure Boot.
  • Update the organization's hardware procurement policy to mandate that all new network infrastructure devices must include Secure Boot and hardware trust anchor technologies.
  • Implement strict access control lists (ACLs) to restrict public internet access to the management interfaces and VPN web services of all network boundary devices.
  • Establish a formal asset lifecycle management program to track all network hardware and software, ensuring that equipment is replaced before it reaches its End-of-Support (EoS) date.

Critical Flaw in Linux ksmbd (CVE-2025-38561) Enables Remote Code Execution in the Kernel

A critical remote code execution vulnerability, CVE-2025-38561, has been discovered in the Linux kernel's ksmbd component by Nicholas Zubriski of Trend Research. This flaw affects all Linux distributions that utilize the built-in ksmbd-based SMB server, enabling attackers to execute arbitrary code with the highest system privileges. The vulnerability originates from a threading synchronization error during SMB2 session establishment, specifically improper handling of the `Preauth_HashValue` field, which creates a race condition leading to memory corruption and execution flow manipulation within kernel space. Although exploitation requires valid credentials, the severity is high, with a CVSS score of 8.5, given the common exposure of SMB services and the potential for credential theft. The vulnerability was privately reported on July 22, 2025, with public disclosure on September 24, 2025. Fixes, which introduce proper locking mechanisms to prevent race conditions, have been incorporated into the latest Linux kernel versions. Administrators are strongly advised to immediately apply these updates from their distribution maintainers, reboot affected machines, and reassess SMB service exposure, as no temporary mitigations or workarounds are available.

Severity: Critical

Sources

Threat Details and IOCs

CVEs:CVE-2025-38561, CVE-2025-38562
Technologies:Linux
Victim Industries:Cloud Infrastructure, Industrial Control Systems, Information Technology

Mitigation Advice

  • Use a vulnerability scanner or asset inventory system to identify all Linux hosts on the network that are running the ksmbd service.
  • Apply the latest kernel security updates from your Linux distribution's package manager to all identified vulnerable systems.
  • Reboot all Linux systems immediately after the kernel update is applied to ensure the new, patched kernel is loaded into memory.

Compliance Best Practices

  • Review and update firewall rules to ensure that SMB services are not exposed to the internet and are only accessible from trusted internal network zones.
  • Implement and enforce a policy for strong, unique passwords for all user and service accounts, and prioritize deploying multi-factor authentication (MFA) on all administrative accounts.
  • Develop a formal patch management policy that defines service level agreements (SLAs) for applying security updates based on vulnerability severity, with a specific, accelerated timeline for critical kernel vulnerabilities.

Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection

A critical vulnerability, codenamed ForcedLeak (CVSS 9.4), was identified by Noma Security in Salesforce Agentforce, an AI agent platform, enabling the exfiltration of sensitive CRM data. This flaw specifically impacted organizations utilizing Agentforce with the Web-to-Lead functionality enabled, leveraging an indirect prompt injection. Attackers would submit a malicious description within a Web-to-Lead form; when an internal employee processed this lead via a standard AI query, Agentforce executed both legitimate and hidden instructions. This allowed the system to query the CRM for sensitive lead information and transmit it to an attacker-controlled, previously Salesforce-allowlisted, expired domain. The vulnerability exploited weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy bypass, as the underlying Large Language Model (LLM) could not distinguish between legitimate data and malicious instructions. Salesforce has since addressed the issue by re-securing the expired domain and implementing patches that enforce a URL allowlist mechanism for Agentforce and Einstein AI agents, preventing output to untrusted URLs. Users are advised to enforce Trusted URLs, audit existing lead data for suspicious submissions, implement strict input validation, and sanitize data from untrusted sources.

Severity: Critical

Sources

Threat Details and IOCs

Malware:BeaverTail, BRICKSTORM, MalTerminal, MINIBIKE, MiniJunk, Raccoon, Raccoon Stealer, SlugResin
Technologies:Salesforce, Salesforce Web-to-Lead
Threat Actors:Unc5221
Attacker Domains:my-salesforce-cms.com
Victim Industries:Automotive, Consumer Discretionary, Digital Media, Education, Financial Services, Government, Healthcare, Hospitality, Information Technology, Manufacturing, Media and Entertainment, Professional Services, Real Estate, Retail, Technology Hardware, Telecommunications
Victim Countries:Finland, India, Indonesia, Spain, United States

Mitigation Advice

  • For Salesforce administrators, immediately configure and enforce the 'Trusted URL allowlist' for Agentforce and Einstein AI agents to prevent data exfiltration to unauthorized domains.
  • Scan all existing Salesforce 'Web-to-Lead' form submissions, specifically looking for suspicious instructions or code-like syntax within the 'Description' field to identify past or ongoing attacks.

Compliance Best Practices

  • Develop and implement a policy for strict input validation on all 'Web-to-Lead' forms to detect and block submissions containing characters or patterns indicative of prompt injection attacks.
  • Establish an automated data sanitization pipeline for all data ingested from untrusted sources, such as public-facing web forms, before it is processed by Salesforce Agentforce or any other internal AI system.
  • Initiate a security review of all AI agent configurations, including Salesforce Agentforce, to ensure they operate under the principle of least privilege and cannot perform sensitive actions or access data beyond their intended function.
  • Implement a recurring process to audit all security allow-lists, including Salesforce Trusted URLs, to verify domain ownership and remove any domains that are expired or no longer controlled by the trusted entity.
Updated Sep 30, 2025
Version 4.0
security
threat report
No CommentsBe the first to comment