Ransomware Disrupts European Airports in 2025: HardBit & SonicWall VPN Exploit
Executive Summary
In September 2025, a coordinated HardBit ransomware attack caused significant operational disruptions across several European airports. The attack exploited a vulnerability in SonicWall SSL VPN devices (CVE-2024-40766), allowing threat actors to bypass multi-factor authentication and gain unauthorized access to critical infrastructure. Prompt law enforcement action led to the arrest of an initial suspect by the UK’s National Crime Agency, though details remain limited as investigations continue. The attack, labeled by researchers as primitive yet effective, underscores how quickly threat actors are leveraging both publicly available exploits and compromised credentials to disrupt essential services with ransomware.
This event made headlines due to its impact on vital transportation infrastructure and prompted an international response highlighting the growing urgency for robust network segmentation, encrypted traffic measures, and rapid threat detection. The incident also reflects a broader trend of ransomware actors increasingly targeting critical sectors using innovative entry vectors and expanding their global footprint.
Why This Matters Now
This ransomware incident demonstrates the sector-wide risk posed by vulnerabilities in remote access and VPN appliances, particularly when attackers can still succeed after patches via credential theft and MFA bypass. With airports and other critical infrastructure remaining lucrative targets, timely, layered defense and swift coordinated responses are more urgent than ever.
Attack Path Analysis
Attackers exploited vulnerabilities in exposed internet-facing resources such as SSL VPNs, social engineering IT helpdesks to reset credentials. They escalated privileges by extracting directories like NTDS.dit and manipulating account tokens. Lateral movement was achieved via SSH access to virtual machines and pivoting across workloads or clusters. The attackers established command and control through encrypted channels and covert tools, enabling remote management and payload execution. Sensitive data was exfiltrated, and files encrypted, often using custom ransomware strains. Finally, business operations were disrupted through widespread ransomware deployment, data encryption, and extortion.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in perimeter devices (e.g., SonicWall SSL VPN CVE-2024-40766) or leveraged social engineering to gain initial access by acquiring valid credentials.
Related CVEs
CVE-2024-40766
CVSS 9.8An improper access control vulnerability in SonicWall SonicOS management access allows unauthorized access to resources and can cause the firewall to crash under specific conditions.
Affected Products:
SonicWall SonicOS – Gen 5, Gen 6, Gen 7 (≤ 7.0.1-5035)
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Phishing
Remote Services: SSH
Data Encrypted for Impact
OS Credential Dumping: NTDS
Indicator Removal on Host: File Deletion
Data from Information Repositories: SharePoint
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication Mechanisms
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Comprehensive Identity and Access Management
Control ID: Identity Pillar - 2.1
NIS2 Directive – Cybersecurity Risk-management Measures
Control ID: Article 21
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High ransomware exposure requiring encrypted traffic protection, zero trust segmentation, and egress security to prevent data exfiltration and maintain regulatory compliance.
Health Care / Life Sciences
Critical vulnerability to ransomware attacks targeting patient data systems, requiring enhanced east-west traffic security and threat detection for HIPAA compliance.
Information Technology/IT
Primary target for SSL VPN attacks and social engineering breaches, needing comprehensive multicloud visibility and Kubernetes security for infrastructure protection.
Government Administration
Strategic ransomware target requiring secure hybrid connectivity and inline IPS protection to safeguard critical infrastructure and sensitive government operations.
Sources
- IT threat evolution in Q3 2025. Non-mobile statisticshttps://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/Verified
- CVE-2024-40766 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-40766Verified
- CVE-2024-40766 | INCIBE-CERT | INCIBEhttps://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-40766Verified
- Ongoing active exploitation of SonicWall SSL VPNs in Australia (CVE-2024-40766) | Cyber.gov.auhttps://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australiaVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This attack demonstrates the need for Zero Trust controls—network segmentation, east-west traffic filtering, explicit egress policy enforcement, and real-time threat detection—to constrain lateral movement, block unauthorized outbound activity, and limit the ransomware blast radius. CNSF capabilities such as zero trust segmentation, encrypted traffic enforcement, egress filtering, and anomaly response would have disrupted multiple stages of this kill chain.
Control: Cloud Firewall (ACF) + Zero Trust Segmentation
Mitigation: Reduced attack surface and prevented unauthorized resource exposure.
Control: Zero Trust Segmentation
Mitigation: Limited escalation paths by enforcing least privilege and isolating identity domains.
Control: East-West Traffic Security + Kubernetes Security (AKF)
Mitigation: Detected and blocked unauthorized lateral network flows.
Control: Inline IPS (Suricata) + Encrypted Traffic (HPE)
Mitigation: Detected C2 sessions and malicious signatures in network traffic, even within encrypted flows.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unsanctioned outbound transfers and exfiltration attempts.
Enabled rapid ransomware detection, incident response, and automated remediation.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access Services
- Data Protection
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive data due to compromised firewall security, leading to data breaches and loss of customer trust.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to restrict unnecessary east-west movement across VMs, cloud workloads, and management systems.
- • Implement robust cloud-native firewalls and microsegmentation to minimize the attack surface for internet-facing and internal resources.
- • Apply strict egress controls with FQDN and application-level filtering to block exfiltration and ransomware command channels.
- • Continuously monitor for anomalies and malicious signatures in both north-south and east-west traffic using inline IPS and threat analytics.
- • Regularly review and update segmentation, privileged access, and backup protection policies as part of a dynamic CNSF strategy.
