SonicWall urges admins to disable SSLVPN amid rising attacks

Intro

SonicWall has warned customers to disable SSLVPN services due to ransomware gangs potentially exploiting an unknown security vulnerability in SonicWall Gen 7 firewalls to breach networks over the past few weeks.

Akira ransomware attacks

SonicWall firewall devices have been increasingly targeted since late July in a surge of Akira ransomware attacks, potentially exploiting a previously unknown security vulnerability, according to cybersecurity company Arctic Wolf.

As Arctic Wolf Labs observed, multiple ransomware intrusions involved unauthorized access through SonicWall SSL VPN connections, starting on July 15. However, while a zero-day vulnerability being exploited in these attacks is very likely, Arctic Wolf has not ruled out credential-based attacks.

While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases.

Throughout this surge in ransomware activity, attackers quickly transitioned from initial network access via SSL VPN accounts to data encryption, a pattern consistent with similar attacks detected since at least October 2024, indicating a sustained campaign targeting SonicWall devices.

Additionally, Arctic Wolf noted the ransomware operators were observed using virtual private server hosting for VPN authentication, while legitimate VPN connections typically originate from broadband internet service providers.

Post-exploitation

Full reference here.

• Abuse privileged accounts: In many cases, the threat actors immediately gained administrative access by leveraging an over-privileged LDAP or service account used by the SonicWall device itself (e.g., sonicwall, LDAPAdmin).
• Establish Command and Control: For persistence, they deploy Cloudflared tunnels and OpenSSH, often staged out of C:\ProgramData. This gives them a durable backdoor into the network.
• Move laterally and steal credentials: Using their newfound privileges, they use WMI and PowerShell Remoting to move across the network. We’ve captured them running scripts to dump and decrypt credentials from Veeam Backup databases and using wbadmin.exe to back up the NTDS.dit Active Directory database for offline cracking.
• Disable defenses: Before deploying ransomware, they methodically disable security tools. This includes using built-in Windows tools like Set-MpPreference to neuter Microsoft Defender and netsh.exe to disable the firewall.
• Deploy ransomware: The final objective appears to be ransomware. We’ve seen them delete Volume Shadow Copies with vssadmin.exe to prevent easy recovery right before deploying what we assess to be Akira ransomware.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html