Attackers are actively brute-forcing VPN credentials and bypassing multi-factor authentication (MFA) on **SonicWall** Gen6 SSL-VPN appliances. This allows them to deploy tools used in ransomware attacks. During these intrusions, attackers typically spend 30 to 60 minutes logged in, performing network reconnaissance, testing credential reuse on internal systems, before logging out. ### The Vulnerability: CVE-2024-12802 **SonicWall** issued a security advisory for **CVE-2024-12802**, warning that simply installing the firmware update on Gen6 devices isn't enough. A manual reconfiguration of the LDAP server is *required* to fully mitigate the vulnerability. Failure to do so leaves the system vulnerable to MFA bypass. Researchers at **ReliaQuest** responded to multiple intrusions between February and March, assessing them as "with medium confidence to be the first in-the-wild exploitation of **CVE-2024-12802**, targeting **SonicWall** devices across multiple environments." The researchers found that even patched devices (running updated firmware) remained vulnerable because the necessary remediation steps were not completed. On Gen7 and Gen8 devices, updating to a newer firmware version is sufficient to fully address **CVE-2024-12802**. ### Observed Exploitation Activity **ReliaQuest** reports that in one incident, the attacker gained access to the internal network and reached a domain-joined file server in just 30 minutes. They then established a remote connection over RDP using a shared local administrator password. The attacker attempted to deploy a **Cobalt Strike** beacon (a post-exploitation framework for command-and-control (C2) communication) and a vulnerable driver, likely to disable endpoint protection using the Bring Your Own Vulnerable Driver (BYOVD) technique. Fortunately, the installed endpoint detection and response (EDR) solution blocked both the beacon and the driver. .jpg) *Source: ReliaQuest* Based on the attacker's deliberate logouts and subsequent logins (sometimes using different accounts), **ReliaQuest** believes the threat actor is an initial access broker (IAB) selling access to ransomware groups. Last year, the **Akira** ransomware gang targeted **SonicWall** SSL VPN devices and successfully logged in despite MFA being enabled. However, the exact method used in those attacks wasn't confirmed at the time. ### Addressing CVE-2024-12802: Mitigation Steps The **CVE-2024-12802** vulnerability stems from a missing MFA enforcement for the User Principal Name (UPN) login format. This allows attackers with valid credentials to authenticate directly, bypassing MFA. To fully mitigate the vulnerability on Gen6 **SonicWall** devices, follow these steps *after* updating to the latest firmware, as detailed in the vendor’s advisory: 1. Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field. 2. Remove locally cached/listed LDAP users. 3. Remove the configured SSL VPN “User Domain” (reverts to LocalDomain). 4. Reboot the firewall. 5. Recreate the LDAP configuration *without* userPrincipalName in “Qualified login name”. 6. Create a fresh backup to avoid restoring the vulnerable LDAP configuration later. **ReliaQuest** has high confidence that the attacker gained initial access by exploiting **CVE-2024-12802** across multiple sectors and geographies. According to **ReliaQuest**, the rogue login attempts appeared as normal MFA flows in logs, potentially misleading defenders. The presence of `sess=”CLI”` in logs is a key indicator of these attacks, suggesting scripted or automated VPN authentication. Administrators should actively monitor for this signal. Other potential indicators include event IDs 238 and 1080, and VPN logins originating from suspicious VPS/VPN infrastructure. Given that Gen6 SSL-VPN appliances reached end-of-life on April 16, 2024, and no longer receive security updates, migrating to actively supported versions is strongly recommended. <div> <p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0"><img alt="article image" src="https://www.bleepstatic.com/c/p/validation-gap.jpg"></a></p> <div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">The Validation Gap: Automated Pentesting Answers One Question. You Need Six.</a></h2> <p>Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.</p> <p>This guide covers the 6 surfaces you actually need to validate.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">Download Now</a></p> </div> </div>