Skip to main content

Active Exploitation of SonicWall VPNs: Huntress Research

N2K NetworksAugust 30, 202513 min230 views
14 connections·17 entities in this video→

SonicWall VPN Vulnerability and Exploitation

  • πŸ’‘ Huntress noticed an uptick in incidents involving SonicWall devices, which later aligned with research on active exploitation.
  • 🎯 Attackers are leveraging a vulnerability, particularly when organizations upgraded from SonicWall Gen 6 to Gen 7 devices while retaining old configurations, leaving credentials exposed.
  • πŸ”‘ The exploitation allows attackers to gain initial access, steal credentials, perform lateral movement, and exfiltrate data before deploying Akira ransomware.

Attackers' Tactics and Targeting

  • ⚑ Attackers are observed to be opportunistic, hitting various industries, and their activity significantly ramped up after public awareness of the vulnerability.
  • ⚠️ Techniques used include disabling defenses, clearing logs, credential theft, and Bring Your Own Vulnerable Driver (BYOVD) attacks.
  • πŸ“ˆ The exploitation became more prevalent after Arctic Wolf released their research, suggesting attackers capitalized on a limited window of opportunity.

Scope and Impact of the Threat

  • 🌍 The issue appears to be global, though SonicWall devices are predominantly found in North America.
  • ❓ There are questions about the exact vulnerability, as some incidents involved devices that didn't fit the Gen 6 to Gen 7 upgrade criteria, and even Portinet devices with SonicWall software installed were compromised.
  • 🀝 Huntress coordinated with SonicWall, providing core dumps to help identify the root cause, which was initially suspected to be CVE-2024-4766.

Recommendations for Organizations

  • 🚫 Organizations using SonicWall devices are advised to disable SSL VPN access or restrict it via IP allow-listing.
  • πŸ”‘ Rotate credentials and hunt for indicators of compromise.
  • πŸ› οΈ From a higher level, attack surface reduction, keeping systems updated, using MFA, and enabling brute force protection are crucial for defending VPN appliances.
  • ⚠️ VPN appliances remain attractive targets for attackers due to the direct access they provide to internal networks.
Knowledge graph17 entities Β· 14 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover Β· drag to explore
17 entities
Chapters1 moments

Key Moments

Transcript47 segments

Full Transcript

Topics12 themes

What’s Discussed

SonicWall VPNActive ExploitationAkira RansomwareVulnerabilityMFA BypassLateral MovementCredential TheftBYOVDCybersecurityThreat AdvisoryHuntress LabsCVE-2024-4766
Smart Objects17 Β· 14 links
CompaniesΒ· 5
PersonΒ· 1
ProductsΒ· 6
MediasΒ· 3
EventΒ· 1
ConceptΒ· 1