New innovations in identity protection, expanded security services, and advancements in AI, and threat detection and response to strengthen cybersecurity outcomes

On October 22-24, SophosAI will present research on ‘LLM salting’ (a novel countermeasure against jailbreaks) and command line classification at CAMLIS 2025

  More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations. Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall. Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware. CVE-2024-40766, which remains unpatched in some environments. A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains: “This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.” Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts. The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766. According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer. Recommended Mitigations Organizations relying on SonicWall firewalls are advised to: * Rotate passwords on all SonicWall local accounts and delete unused ones. * Enforce MFA/TOTP for SSLVPN services. * Set the Default LDAP User Group to “None.” * Restrict Virtual Office Portal access to trusted local networks and closely monitor usage. * Ensure all appliances run the latest firmware updates. SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.

Response times go from hours or days to seconds.

Response times go from hours or days to seconds.

Rising Cybersecurity Alarm for Cisco Users Cisco, a global leader in networking and security solutions, is grappling with multiple high-risk vulnerabilities across its flagship products that could enable attackers to execute arbitrary code remotely. These flaws impact critical platforms such as Cisco Secure Firewall Management Center (FMC), Firepower 2100 Series, ASA and FTD software, Identity Services Engine (ISE), and both IOS and IOS XE network operating systems.

Cybersecurity attacks are rising sharply in 2025, and Microsoft has been one among many prominent targets. Research shows that 70 percent of M365 tenants have experienced account takeovers1 and 81 …

The heavy metal star reunited with his Black Sabbath bandmates on stage at Villa Park earlier in July.

Sophos X-Ops sees exploitation across multiple customer estates

Sophos X-Ops sees exploitation across multiple customer estates

View detailed information about CVE-2025-32756 on CyberAlerts

Marks and Spencer (M&S) confirms that customer data was stolen in a cyberattack last month, when ransomware was used to encrypt servers.

Taking a dive into Sophos Tamper Protection