GoKawiilThreat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks.
During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out.
SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
Researchers at cybersecurity company ReliaQuest responded to multiple intrusions between February and March, and assessed “with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments."
The researchers noted that, in the environments they investigated, the devices appeared to be patched because they were running the updated firmware, yet they remained vulnerable because the required remediation steps had not been completed.
On Gen7 and Gen8 devices, simply updating to a newer firmware version is enough to fully remove the risk from exploiting CVE-2024-12802.
Exploitation activity
ReliaQuest says that in one incident, the hacker gained access to the internal network and reached a domain-joined file server in as little as half an hour. Then they established a remote connection over RDP using a shared local administrator password.
The researchers found that the attacker tried to deploy a Cobalt Strike beacon, a post-exploitation framework for command-and-control (C2) communication, and a vulnerable driver, likely to disable endpoint protection using the Bring Your Own Vulnerable Driver (BYOVD) technique.
However, the installed endpoint detection and response (EDR) solution blocked the beacon and the loading of the driver.
... continue reading