CyberWire Daily - Cracks in the wall. [Research Saturday]
Episode Date: August 30, 2025This week, we are joined by Jamie Levy, Director of Adversary Tactics at Huntress, who is discussing their work on "Active Exploitation of SonicWall VPNs." Huntress has released an urgent threat advis...ory on active exploitation of SonicWall VPNs, with attackers bypassing MFA, pivoting to domain controllers, and ultimately deploying Akira ransomware. The campaigns involve techniques such as disabling defenses, clearing logs, credential theft, and Bring Your Own Vulnerable Driver (BYOVD) attacks with legitimate Windows drivers. Organizations using SonicWall devices are strongly advised to disable SSL VPN access or restrict it via IP allow-listing, rotate credentials, and hunt for indicators of compromise as this remains an ongoing and evolving threat. Complete our annual audience survey before August 31. The research can be found here: Huntress Threat Advisory: Active Exploitation of SonicWall VPNs Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington.
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
Risk and compliance shouldn't slow your business down. Hyperproof helps.
helps you automate controls, integrate real-time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we started to notice that there was an uptick and incidents that involved Sonic Wall devices.
It actually started probably like a week or so before Arctic Wolf came out with their research.
That's Jamie Levy, Director of Adversary Tactics at Huntress.
The research we're discussing today is titled Active Exploitation of Sonic Wall VPNs.
So as we started to notice that we had more and more incidents, we started to dig into it,
and then we saw their research come out, and then we realized that, yes, it was probably a part of what was going on there.
Yeah. It's funny how that can happen sometimes, right? Somebody is independently on the same path,
and you might not know it at the time. Correct. Yeah. So what tipped you off that this was not a routine vulnerability report,
but there was something more active and urgent?
Well, we started to notice that there were a lot of incidents involving sonic wall devices.
And so it looked as if maybe there was some kind of vulnerability involved just because we started to get so many more of these incidents involving that.
And then other people were saying that they had it.
And we were talking to other researchers and other companies.
And they were talking about how they had a lot of incidents involving this.
And so we knew something was up with that.
And it was also, we figured out that it was pretty much the same group.
A lot of times these were ending up with Akira ransomware.
And so since it was the same types of exploitation, we figured out that this group knew about this exploit and was leveraging it pretty heavily.
I see. Well, for our listeners who may not be deeply technical, can you explain to us what exactly this Sonic Wall VPN vulnerability is all about?
Yeah, so this particular vulnerability, the thing that was actually the biggest problem with it was that people had upgraded from a Generation 6 Sonic Wall device to Generation 7, and they kept the same configs.
Fortunately, when they did this, it left their credentials still exposed.
And so the attackers realized that they could leverage this and gain access, even though they thought that they were fully patched.
Oh, that's interesting.
So, well, once the attackers had access, what were they able to do inside the compromise network?
So at that point, they would often gain access to other machines on the inside.
So that could be credential stuffing or reused passwords, basically.
They would gain access to various machines and then steal credentials on that side, do lateral movement, do exfiltration of data.
And then ultimately, they would deploy ransomware at the end.
But, yeah, pretty much they just came in, grabbed everything as quickly.
as they could and then deployed ransomware as quickly as they could after that.
In terms of their targeting, does it strike you that it's opportunistic or were they really
focusing on certain industries or organizations? It seemed to be all over the place. I mean,
we saw all different industries being hit. So I think it was opportunistic, but I feel like
it really ramped up even more after people were aware that this was happening. I mean, we
saw flips of it.
Once we knew what was going on, we went back and looked at previous incidents, and we could
see that there were incidents even as far back as made that seemed to fit the same pattern.
But it wasn't nearly as often.
But as soon as Arctic Wolf's research went out, all of a sudden it was just like everything
was on fire.
Everybody was getting hit by this.
And I don't know if it's just probably the attackers realized like there's maybe a moment
you know, where they're going to lose this type of access.
And so they just really started to ramp up.
Right.
The clock is ticking.
So let's get while the getting's good.
Interesting.
We'll be right back.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and vary by race.
Terms and conditions apply.
Learn more at mx.ca.orgia.
Oh, hi, buddy.
Who's the best?
You are.
I wish I could spend all day with you instead.
Uh, Dave, you're off mute.
Hey, happens to the best of us.
Enjoy some goldfish cheddar crackers.
Goldfish have short memories.
Be like goldfish.
In terms of scale and scope here, I mean, how widespread do you believe this is?
That's a good question.
So I feel like people still don't have like a good handle on this because we're still seeing incidents involving sonic wall devices.
And we did have one customer who came and they were hit with.
the Sonic Wall vulnerability, but they said that their device, what did not fit this criteria,
it wasn't a Gen 6 to Gen 7 uproll. It basically was a device that, I think it was a Fordenet device
that had, that they had installed Gen 7 Sonic Wall on, and it still got popped. And so
there are some questions about whether or not this vulnerability actually is,
is what this underlying cause is.
Yeah.
Is there any geographic concentration,
are they going after folks in a certain part of the world,
or does it seem all around, is a global issue?
I believe it's a global issue,
but if you just kind of scan to see
where most of these sonic wall devices are,
I mean, overwhelmingly, they're in the United States area,
right, the North American area
just by default.
But yeah, I mean, like, as far as our
customer base, like, we've seen them from all over
getting popped.
I see. Now, did you all
coordinate with Sonic Wall in
terms of getting the vulnerability confirmed?
Yes, we did.
We were in contact with them,
and basically, we were trying to figure out
what were the logs that we should pull.
Was there anything else? We were also trying
to help them figure out what the problem was,
because initially they weren't really sure.
They did seem to think that it was CVE 2024-4766.
They weren't really sure at the moment.
And that was back when we spoke with them on Monday of last week, August 4th.
So one of the things that they had told us to do is if we had any more of these incidents come up to take a core dump,
and then we could hand that off to them to get an idea of what was.
actually happening. So it seemed that the logs were a little bit lacking, but the core dumps
were, they basically had the moment of truth in them that could actually help figure out what the
problem was. I see. And so where do we stand today? Have there been patches issued? I think it's really
just that they've given advice of making sure that you don't have the old configs if you had
updated from Gen 6 to Gen 7 and to rotate creeds.
And if you're really unsure, just to try to keep the device off line.
But, yeah, like, as far as I know, they haven't issued another patch for this.
I see.
Yeah.
Yeah.
From a higher level, I mean, is it accurate to say that VPN appliances make attractive
targets for attackers?
Oh, yeah.
I mean, it seems very much so.
I mean, Sonic wall devices are not the only ones that we see getting hit by attackers.
So just about every VPN device is basically right for the picking.
Makes sense because once they gain access there,
then they can gain access to things that are internal much easier.
Yeah.
What are your recommendations then for organizations to better protect themselves
against this sort of thing?
I mean, attack surface reduction as much as you can,
making sure that you're up to date, using MFA, turning on, or turning on like the brute force protection,
all of that, as much as you can just to try to reduce that attack surface.
And I suppose it's fair to say that we can expect VPNs to still have a target on their backs in the near future.
Yeah, definitely.
Our thanks to Jamie Levy from Huntress for joining us.
The research is titled Active Exploitation of Sonic Wall VPNs.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this month.
There's a link in the show notes.
Please do check it out.
This episode was produced by Liz Stokes.
We're mixed by Elliot Pelksman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.