huntress logo

Huntress Threat Advisory: Active Exploitation of SonicWall VPNs

Glitch effectGlitch effectGlitch effect
Glitch banner

TL;DR: A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach.

Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances. This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.

The bottom line: this is a critical, ongoing threat.

Let's dive into what we're seeing.


The attack playbook: From edge to ransomware

The attack chain is swift and follows a consistent pattern. It starts with a breach of the SonicWall appliance itself. We’ve then seen a variety of post-exploitation techniques that vary based on the incident and include techniques linked to enumeration, detection evasion, lateral movement, and credential theft.

Post-exploitation: A well-worn path

Once on the network, the attackers don't waste time. Their actions are a mix of automated scripts for speed and hands-on-keyboard activity for precision. We've seen them:

  • Abuse privileged accounts: In many cases, the threat actors immediately gained administrative access by leveraging an over-privileged LDAP or service account used by the SonicWall device itself (e.g., sonicwall, LDAPAdmin). 

  • Establish Command and Control: For persistence, they deploy Cloudflared tunnels and OpenSSH, often staged out of C:\ProgramData. This gives them a durable backdoor into the network.

  • Move laterally and steal credentials: Using their newfound privileges, they use WMI and PowerShell Remoting to move across the network. We’ve captured them running scripts to dump and decrypt credentials from Veeam Backup databases and using wbadmin.exe to back up the NTDS.dit Active Directory database for offline cracking.

  • Disable defenses: Before deploying ransomware, they methodically disable security tools. This includes using built-in Windows tools like Set-MpPreference to neuter Microsoft Defender and netsh.exe to disable the firewall.

  • Deploy ransomware: The final objective appears to be ransomware. We've seen them delete Volume Shadow Copies with vssadmin.exe to prevent easy recovery right before deploying what we assess to be Akira ransomware.


Attacker tradecraft

We’ve currently had around 20 different attacks that are directly related to this particular set of events, with the first of these starting on July 25. Of these attacks, there are some similarities, but also some differences in how each attacker operated. It is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter. Methodologies varied from utilizing tools brought in like Advanced_IP_Scanner, WinRAR, and FileZilla, to relying on various built-in tools (LOLBins), as well as installing various persistence mechanisms like new accounts, SSH, or full-blown RMMs like AnyDesk.  



Figure 1: Visualization of timeline of attacks

We will try to break down various parts of each of the attacks we’ve seen so far by category in no particular order. Clustered commands were used on the same machine and are therefore kept in close proximity. Some of these commands were used in variation on other machines:

Account access

Attackers also logged into Administrator or other accounts via RDP, brute forcing accounts, logging into compromised accounts.

Enumeration

Attackers used various tools like Advanced_IP_Scanner, or other LOLBins or built-in capabilities in order to enumerate various accounts or network information:

"C:\Users\[redacted]\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe"
"C:\[redacted]\netscan\netscan.exe"

"C:\Windows\system32\nltest.exe" /trusted_domains
"C:\Windows\system32\PING.EXE" 192.168.xx.xxx
"C:\Windows\system32\nltest.exe" /dclist:
"C:\Users\[redacted]\Documents\Advanced_Port_Scanner_2.5.3869.exe"

Install-WindowsFeature RSAT-AD-PowerShell
Get-ADComputer -Filter * -Property * | Select-Object Enabled,
DNSHostName, IPv4Address, OperatingSystem, Description  >
C:\programdata\[redacted].txt

cmd.exe /Q /c nltest /domain_trusts 1> \\Windows\\Temp\\ysKBfL 2>&1

cmd.exe /Q /c quser 1> \\127.0.0.1\ADMIN$\__1754125023.3698354 2>&1

net group "Domain admins" /dom


Staging and exfiltration

The most interesting of the following commands is the WinRAR execution. This command was executed on six different machines with identical command lines, with the only difference being the source or target drives in some cases:

"C:\Program Files\WinRAR\WinRAR.exe" a -ep1  -scul -r0 -iext -imon1 -- . X:\[Redacted]

C:\ProgramData\shares.txt

"C:\Program Files\FileZilla FTP Client\fzsftp.exe" -v

Persistence

In some cases attackers decided to try to maintain persistence to some of these machines. They did this by adding accounts, or enabling or installing remote tools.

Installation of RMMs such as AnyDesk or ScreenConnect, and SSH

"C:\Windows\System32\msiexec.exe" /i "C:\ProgramData\OpenSSHa.msi"


Creation and Configuration of New User Accounts

"C:\Windows\system32\net.exe" user lockadmin Msnc?42da /add

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v commuser /d 0 /f

net user [REDACTED] VRT83g$%ce /add
net localgroup Administrators [redacted] /add
net localgroup "Remote Desktop Users" [redacted] /add

net  group "Domain Admins" azuresync /add

cmd.exe /Q /c net user backupSQL Password123$ /add /dom 1> \\Windows\\Temp\\tinhLg 2>&1

cmd.exe /Q /c net group "Domain Admins" backupSQL  /dom /add 1> \Windows\Temp\NDqyOI 2>&1


Evasion and lateral movement

In addition to clearing event logs attackers often implemented the following evasive and lateral movement techniques:

Credential harvesting

cmd.exe /Q /c copy \"C:\Users\[redacted]\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Windows\Temp\1753954887.8450267"

"C:\Windows\system32\wbadmin.exe" start backup -backupTarget:\\localhost\c$\ProgramData\ -include:C:\Windows\NTDS\NTDS.dit C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY -quiet

WMI lateral movement to run PowerShell for credential theft - from NetExec Veeam_Dump_Postgresql.ps1


Various firewall settings and security software disablement

In addition to recovered PowerShell history, we’ve also seen several of the following commands: 

"C:\Windows\system32\SystemSettingsAdminFlows.exe" Defender DisableEnhancedNotifications 1

netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22


Other relevant tradecraft

Unrecovered scripts

C:\ProgramData\2.bat

C:\ProgramData\1.bat


Recovery prevention

"C:\WINDOWS\system32\vssadmin.exe" delete shadows /all /quiet 


Akira ransomware invocation

w.exe  -p=\\[redacted]\C$ -n=1


What you should do right now

This is an active threat that requires immediate attention.

  1. Disable your SonicWall VPN. This is the most effective way to protect your network. We strongly advise you to disable SSL VPN access on your SonicWall appliances until an official patch and guidance are released.

  2. If you can't disable it, lock it down. If the VPN is business-critical, immediately restrict access to a minimal allow-list of known, trusted IP addresses. Segment the network to prevent a breach of the appliance from immediately providing access to critical servers like domain controllers.

  3. Audit your service accounts. That sonicwall or LDAP user does not need to be a Domain Admin. Ever. Ensure any service accounts follow the principle of least privilege.

  4. Hunt for malicious activity. Use the Indicators of Compromise below to search your environment for signs of a breach.

The Huntress team is continuing to monitor this threat, and we will update as we learn more.

Special thanks to analysts, researchers, support analysts, technical account managers, and all involved in response to this incident and their contributions to this blog: Michael Tigges, Ben Folland, Dray Agha, Jamie Levy, Lindsey O-Donnell-Welch, Max Rogers, and many others.



Indicators of Compromise (IOCs)


Item

Description

42.252.99[.]59

Attacker IP

45.86.208[.]240

Attacker IP

77.247.126[.]239

Attacker IP

104.238.205[.]105

Attacker IP

104.238.220[.]216

Attacker IP

181.215.182[.]64

Attacker IP

193.163.194[.]7

Attacker IP

193.239.236[.]149

Attacker IP

194.33.45[.]155

Attacker IP

w.exe


sha256: d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d

Ransomware executable



win.exe

Ransomware executable

C:\ProgramData\winrar.exe

Data staging tooling.

C:\ProgramData\OpenSSHa.msi

OpenSSH installer

C:\Program Files\OpenSSH\sshd.exe

SSH executable for exfil 

C:\programdata\ssh\cloudflared.exe

Cloudfare executable

C:\Program Files\FileZilla FTP Client\fzsftp.exe

Data exfiltration tooling.

C:\ProgramData\1.bat

Unknown attacker script

C:\ProgramData\2.bat

Unknown attacker script

AS24863 - LINK-NET - 45.242.96.0/22

ASN/CIDR hosting adversary infrastructure.

AS62240 - Clouvider - 45.86.208.0/22

ASN/CIDR hosting adversary infrastructure.

AS62240 - Clouvider - 77.247.126.0/24

ASN/CIDR hosting adversary infrastructure.

AS23470 - ReliableSite LLC - 104.238.204.0/22

ASN/CIDR hosting adversary infrastructure.

AS23470 - ReliableSite LLC - 104.238.220.0/22

ASN/CIDR hosting adversary infrastructure.

AS174 - COGENT-174 - 181.215.182.0/24

ASN/CIDR hosting adversary infrastructure.

AS62240 - Clouvider - 193.163.194.0/24

ASN/CIDR hosting adversary infrastructure.

AS62240 - Clouvider - 193.239.236.0/23

ASN/CIDR hosting adversary infrastructure.

AS62240 - Clouvider - 194.33.45.0/24

ASN/CIDR hosting adversary infrastructure.

backupSQL

User created by attacker

lockadmin

User created by attacker

Password123$

Password used by attacker

Msnc?42da

Password used by attacker

VRT83g$%ce

Password used by attacker






Share

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
Huntress at work