A suspected zero day in SonicWall Secure Mobile Access (SMA) and firewall appliances is being exploited in the wild to drop Akira ransomware.

Ongoing attacks appear to bypass MFA and affect fully patched boxes.

That’s according to researchers at Huntress Labs and Arctic Wolf among security companies. The former has seen multiple incidents since July 25.

It said: "Once on the network, the attackers don't waste time. Their actions are a mix of automated scripts for speed and hands-on-keyboard activity..."

"We've seen them:

  • Abuse privileged accounts: In many cases, the threat actors immediately gained administrative access by leveraging an over-privileged LDAP or service account used by the SonicWall device itself (e.g., sonicwall, LDAPAdmin). 
  • Establish Command and Control: For persistence, they deploy Cloudflared tunnels and OpenSSH, often staged out of C:\ProgramData. This gives them a durable backdoor into the network.
  • Move laterally and steal credentials: Using their newfound privileges, they use WMI and PowerShell Remoting to move across the network. We’ve captured them running scripts to dump and decrypt credentials from Veeam Backup databases and using wbadmin.exe to back up the NTDS.dit Active Directory database for offline cracking.
  • Disable defenses: Before deploying ransomware, they methodically disable security tools. This includes using built-in Windows tools like Set-MpPreference to neuter Microsoft Defender and netsh.exe to disable the firewall.
  • Deploy ransomware: The final objective appears to be ransomware. We've seen them delete Volume Shadow Copies with vssadmin.exe to prevent easy recovery right before deploying what we assess to be Akira ransomware.

SonicWall zero day: Disable SSLVPN pronto

SonicWall today urged customers to disable SSLVPN immediately.

Attacks appear to have primarily involved Gen 7 SonicWall firewalls (first released in late 2020) where SSLVPN is enabled, it said late Monday. 

SonicWall, which has large numbers of managed service providers (MSPs) as customers (it describes itself as the “MSP and MSSP platform of choice”) said that it is investigating if a zero day is being used in the attacks.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible [and are] Committed to releasing updated firmware and instructions promptly if a new vulnerability is confirmed” - SonicWall

Huntress, sharing IOCs and attacker TTPs on August 4, said SonicWall customers should immediately take mitigating action, including:

> "Disable your SonicWall VPN. This is the most effective way to protect your network. We strongly advise you to disable SSL VPN access on your SonicWall appliances until an official patch and guidance are released.

> "If you can't disable it, lock it down. If the VPN is business-critical, immediately restrict access to a minimal allow-list of known, trusted IP addresses. Segment the network to prevent a breach of the appliance from immediately providing access to critical servers like domain controllers.

> "Audit your service accounts. That sonicwall or LDAP user does not need to be a Domain Admin. Ever. Ensure any service accounts follow the principle of least privilege," Huntress warned today. More when we have it.

The link has been copied!