SOC Threat Radar — October 2025

Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence resources and SOC analysts observed the following notable attack behaviors:

• A rise in ransomware attacks targeting vulnerable SonicWall VPNs
• Python scripts used to run malicious tools under the radar
• More Microsoft 365 accounts coming under attack

A rise in Akira ransomware attacks targeting vulnerable SonicWall VPNs

What’s happening?

The Akira ransomware-as-a-service group is targeting organizations through vulnerable SonicWall VPN devices. Barracuda issued a security advisory on the threat in August.  Three months on, the danger level remains high as the attacks continue to evolve.

The attacks exploit a year-old and patched vulnerability (CVE-2024-40766). They’re succeeding because not every user has applied the patch, and because the attackers can use stolen credentials (grabbed before the patch was applied) to intercept one-time passwords (OTPs). These generate valid login tokens and enable the attackers to bypass multifactor authentication (MFA), even in systems that have been updated.

Akira is known to move very quickly from infection to encryption. It was recently found using legitimate tools — such as remote monitoring and management (RMM) software — to avoid detection and to disable security tools and backup systems to prevent recovery.

Your organization may be at risk if you:

• Have not yet applied the patch or reset credentials such as passwords after patching
• Have any old or unused accounts connected to the firewall
• Have unmonitored, background service accounts with a high level of access privileges and passwords that are not regularly rotated

To protect your organization:

• Use a scanning tool such as Barracuda’s Managed Vulnerability Security to check if you have an unpatched SonicWall VPN on your network
• Apply the security patch
• Reset all VPN credentials
• Upgrade to SonicOS firmware version 7.3.0 or later, which features enhanced protections
• Audit and remove any unused or legacy accounts, including service accounts
• Rotate passwords for all local and service accounts, especially those migrated from older systems
• Restrict VPN access to trusted IPs and block logins from countries or hosting providers you don’t do business with

If you think there is any chance that your credentials or OTPs have been exposed, act fast. Reset all passwords, switch to phishing-resistant MFA like FIDO2 security keys, and check VPN logs for unusual activity, such as unusual login patterns or access from unfamiliar locations.

Python scripts used to run malicious tools under the radar

What’s happening?

Barracuda SOC analysts have seen a rise in hacking tools launched and run by Python computer scripts (programs).

The hacking tools include the popular password stealer Mimikatz, the legitimate scripting language PowerShell, and credential stuffing tools/automation scripts for trying out stolen usernames and passwords on websites.

The use of Python scripts could be a way for attackers to avoid detection or to speed up and automate their attacks. 

For example, Python scripts can help disguise the execution of malicious tools with legitimate-looking programs that don’t arouse suspicion.

Using Python to automate the execution of hacking tools also reduces the need for manual intervention that could trigger a security red flag, and it increases the speed and efficiency of attacks. This allows attackers to quickly carry out their attacks, reducing the window of time for detection and response. 

Automated Python scripts can also run multiple operations simultaneously, enabling attackers to perform several actions at once, such as scanning for vulnerabilities while exfiltrating data.

Your organization may be at risk if you:

• Lack robust and integrated detection capabilities to spot suspicious or malicious activities
• Are not running the most up-to-date software
• Do not have strong and consistent password policies and multifactor authentication measures in place
• Lack regular cybersecurity awareness training for employees

To protect your organization:

• Install endpoint protection such as Barracuda Managed Endpoint Security to detect Python-based threats
• Patch known vulnerabilities and update your software and systems regularly
• Limit access rights and permissions for employees
• Regularly train employees on the latest threats, what to look out and how to report anything suspicious

More Microsoft 365 accounts under attack

What’s happening?

Barracuda is seeing a rise in unusual login activity in Microsoft 365 accounts. These are logins that don’t match a user’s normal behavior, coming from an unexpected location or device or at a time the user isn’t normally online. This can indicate that an attacker has compromised the user’s credentials and is trying to gain access to the account.

The rise reflects the growing popularity of Microsoft 365 as a business productivity tool with multiple, integrated applications.  

A breached account can provide an attacker with:

• Confirmed access that they can sell to other cybercriminals, such as initial access brokers
• Access to the broader network to enable lateral movement
• The ability to locate and steal sensitive emails, files, data and messaging, which they can use for extortion or impersonation-based attacks
• A channel for delivering additional malicious payloads
• And more

Your organization may be at risk if you:

• Post names and contact details for executives, finance, HR and IT teams online where they are easy for external parties to identify
• You don’t have a strong and consistent password policy and MFA turned on for everyone
• You’re seeing unusual logins from unfamiliar countries or devices
• There is no regular cybersecurity awareness training for employees

To protect your organization

• Enable MFA for all Microsoft 365 accounts
• Limit access rights and permissions for employees
• Install protection for cloud-based services and traffic — such as Barracuda Managed XDR Cloud Security
• Regularly train employees on the latest threats, what to look out and how to report anything suspicious
• Block access from risk locations or devices

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team and 

XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with Barracuda Managed XDR.