Ransomware Attacks: The Rising Threat of Compromised VPN Credentials
Recent research sheds light on the alarming trend of compromised VPN credentials being the main entry point for ransomware attacks. A report by Beazley Security reveals that almost half of ransomware incidents in the third quarter of the year were linked to exploited VPN credentials.
Key Findings on Ransomware Entry Points
According to the study, approximately 50% of ransomware attacks utilized compromised VPN credentials as their starting point. Following this, about 25% of initial access attacks were tied to the exploitation of external services. Additionally, remote desktop service (RDS) credentials, supply chain attacks, and social engineering tactics each represented 6% of entry points for these malicious operations.
This data highlights a clear pattern and strongly emphasizes the importance of robust security measures.
Importance of Multi-Factor Authentication (MFA)
The report underscores a crucial point: organizations must ensure that multi-factor authentication (MFA) is not only implemented but actively managed across remote access solutions. Security teams need to be vigilant about any exceptions made for accounts that might lack MFA, as these are the weakest points that cybercriminals can exploit.
Beazley also emphasizes the need for ongoing dark web monitoring to detect any leaked credentials. Monitoring these leaks can often serve as an early warning signal for larger, more sophisticated attacks looming on the horizon.
The Role of SonicWall Compromises
An alarming development impacting VPN security this quarter is a prolonged campaign targeting SonicWall devices, largely attributed to the Akira ransomware group. Their attacks contributed significantly to the rise in VPN-associated malware incidents.
This quarter, Akira exploited weaknesses in SonicWall’s security systems, particularly focusing on valid credentials through credential stuffing and brute force tactics against unpatched systems. This group’s activities accounted for 39% of Beazley Security’s incident response cases.
Tactics of Active Ransomware Groups
The report indicates that Akira continuously managed to gain access by leveraging valid credentials, especially targeting SonicWall’s SSLVPN services. Vulnerabilities such as lack of MFA and poor access control policies provided additional avenues for these attacks.
Other active groups like Qilin and INC have also been identified as serious threats, utilizing diverse methods for initial access. Qilin often employs phishing tactics and exploits weak passwords or stolen login details in remote work environments. Conversely, the INC ransomware group utilizes credential theft and the exploitation of exposed enterprise appliances to gain unauthorized access.
Exploited Vulnerabilities in Cisco and Citrix
Beyond VPN credentials, attackers have also made use of critical vulnerabilities in Cisco and Citrix systems. The third quarter revealed campaigns leveraging CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components. Another notable campaign focused on a crucial SNMP flaw in Cisco IOS, while Citrix vulnerabilities like CVE-2025-7775 and CVE-2025-5777 were also targeted.
These vulnerabilities present yet another layer of risk for organizations, emphasizing the ongoing need for regular patching and security updates to combat evolving threats.
SEO Poisoning Tactics
A smaller portion of ransomware incidents in the third quarter involved an alarming tactic known as SEO poisoning. In this approach, threat actors manipulate search engine results to position malicious websites at the top, tricking users into downloading fraudulent productivity tools, like PDF editors. These tools can contain hidden malware that allows the attackers an entry point into networks, effectively circumventing conventional email filters designed to block phishing attempts.
The effectiveness of this method illustrates the need for comprehensive cybersecurity training and awareness programs for employees to recognize such threats.
Conclusion
With escalating ransomware attacks, particularly those targeting compromised VPN credentials, it’s essential for organizations to fortify their defenses against these persistent threats. Incorporating strong security practices along with vigilant monitoring can create a more secure digital environment.
