Threat actors have been brute-forcing VPN credentials and bypassing multi-factor authentication on SonicWall Gen6 SSL-VPN appliances by exploiting CVE-2024-12802, with researchers at ReliaQuest responding to multiple intrusions between February and March. The vulnerability stems from missing MFA enforcement for the UPN login format, allowing attackers with valid credentials to authenticate directly. Installing the firmware update alone on Gen6 devices does not fully mitigate the issue, requiring manual LDAP server reconfiguration to close the loophole.
In observed intrusions, hackers gained access within 30 to 60 minutes, performed network reconnaissance, tested credential reuse on internal systems, and logged out deliberately, suggesting they are brokers selling initial access to ransomware groups. Attackers attempted to deploy Cobalt Strike beacons and vulnerable drivers for BYOVD attacks, though endpoint detection solutions blocked these efforts. ReliaQuest noted that Gen7 and Gen8 devices are fully protected by firmware updates alone, unlike Gen6 appliances.
Remediation requires deleting the existing LDAP configuration, removing cached LDAP users, removing the configured SSL VPN user domain, rebooting the firewall, recreating LDAP configuration without userPrincipalName, and creating a fresh backup. Rogue login attempts still appear as normal MFA flows in logs, but the presence of "sess=CLI" signals scripted authentication. Gen6 SSL-VPN appliances reached end-of-life on April 16 and no longer receive security updates, making migration to newer versions strongly recommended. The Akira ransomware gang previously targeted SonicWall SSL VPN devices using similar methods.
Read more...