Active Exploitation of SonicWall VPNs

SUMMARY :

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential theft. Attackers quickly gain administrative access, establish command and control, move laterally, disable defenses, and deploy Akira ransomware. The threat actors use a mix of automated scripts and manual activity, abusing privileged accounts and utilizing various tools for persistence and data exfiltration. Immediate action is advised, including disabling SonicWall VPN access or severely restricting it, auditing service accounts, and hunting for malicious activity using provided indicators of compromise.

OPENCTI LABELS :

vpn,ransomware,lateral movement,credential theft,zero-day,mfa bypass,akira,sonicwall


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Active Exploitation of SonicWall VPNs