Podcasts
Research Saturday
Ep 391
Research Saturday 8.30.25
Ep 391 | 8.30.25

Cracks in the wall.

Show Notes
Transcript

[ Music ]

DAVID BITTNER: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

JAMIE LEVY: So we started to notice that there was an uptick in incidents that involved SonicWall devices. It actually started probably, like, a week or so before Arctic Wolf came out with their research.

 

DAVID BITTNER: That's Jamie Levy, Director of Adversary Tactics at Huntress. The research we're discussing today is titled "Active Exploitation of SonicWall VPNs." [ Music ]

 

JAMIE LEVY: So as we started to notice that we had more and more incidents, we started to dig into it and then we saw their research come out and then we realized that, yes, it was probably a part of what was going on there.

 

DAVID BITTNER: Yeah, it's funny how that can happen sometimes, right? Somebody is independently on the same path, and you might not know it at the time.

 

JAMIE LEVY: Correct.

 

DAVID BITTNER: Yeah, so what tipped you off that this was not a routine vulnerability report but there was something more active and urgent?

 

JAMIE LEVY: Well, we started to notice that there were a lot of incidents involving SonicWall devices. And so, it looked as if maybe there was some kind of vulnerability involved, just because we started to get so many more of these incidents involving that, and then other people were saying that they had it. And, you know, we were talking to other researchers and other companies, and they were talking about how they had a lot of incidents involving this. And so, we knew something was up with that, and it was also -- we figured out that it was pretty much the same group. A lot of times, these were ending up with Akira ransomware. And so, since it was the same types of exploitation, we figured out that this group knew about this exploit and was leveraging it pretty heavily.

 

DAVID BITTNER: I see. Well, for our listeners who may not be deeply technical, can you explain to us what exactly this SonicWall VPN vulnerability is all about?

 

JAMIE LEVY: Yeah. So this particular vulnerability, the thing that was actually the biggest problem with it was that people had upgraded from a Generation Six SonicWall device to Generation Seven, and they kept the same configs, and unfortunately, when they did this, it left their credentials still exposed. And so, the attackers realized that they could leverage this and gain access, even though they thought that they were fully patched.

 

DAVID BITTNER: Oh, that's interesting. So, well, once the attackers had access, what were they able to do inside the compromised network?

 

JAMIE LEVY: So at that point, they would often gain access to other machines on the inside, so that could be credential stuffing or reused passwords. Basically, they would gain access to various machines and then steal credentials on that side, do lateral movement, do exfiltration of data, and then, ultimately, they would deploy ransomware at the end. But, yeah, pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that.

 

DAVID BITTNER: In terms of their targeting, does it strike you that it's opportunistic, or were they really focusing on certain industries or organizations?

 

JAMIE LEVY: It seemed to be all over the place. I mean, we saw all different industries being hit. So I think it was opportunistic, but I feel like it really ramped up even more after people were aware that this was happening. I mean, we saw blips of it. Like, once we knew what was going on, we went back and looked at previous incidents, and we could see that there were incidents even as far back as May that seemed to fit the same pattern, but it wasn't nearly as often. But as soon as Arctic Wolf's research went out, all of a sudden, it was just like everything was on fire. Everybody was getting hit by this, and I don't know if it's just probably the attackers realized, like, there's maybe a moment, you know, where they're going to lose this type of access. And so, they just really started to ramp up.

 

DAVID BITTNER: Right. The clock is ticking, so let's get while the getting's good. Interesting. [ Music ] We'll be right back. [ Music ] Well, in terms of scale and scope here, I mean, how widespread do you believe this is?

 

JAMIE LEVY: That's a good question. So I feel like people still don't have like a good handle on this because we're still seeing incidents involving SonicWall devices, and we did have one customer who came, and they were hit with a SonicWall vulnerability. But they said that their device did not fit this criteria. It wasn't a Gen Six to Gen Seven up roll. It basically was a device that I think it was a Fortinet device that had that they had installed Gen Seven and SonicWall on, and it still got popped. And so, there are some questions about whether or not this vulnerability actually is what this underlying cause is.

 

DAVID BITTNER: Yeah. Is there any geographic concentration or are they going after folks in a certain part of the world or does it seem, all around, is a global issue?

 

JAMIE LEVY: I believe it's a global issue, but if you just kind of scan to see, like, where most of these SonicWall devices are, I mean, overwhelmingly, they're in the United States area, right, the North American area just by default. But yeah, I mean, like as far as our customer base, like, we've seen them from all over getting popped.

 

DAVID BITTNER: I see. Now, did you all coordinate with SonicWall in terms of getting the vulnerability confirmed?

 

JAMIE LEVY: Yes, we did. We were in contact with them, and it -- basically, we were trying to figure out what were the logs that we should pull? Was there anything else? We were also trying to help them figure out what the problem was, because, initially, they weren't really sure. They did seem to think that it was CVE-2024-4766. They weren't really sure at the moment, and that was back when we spoke with them on Monday of last week, August 4th. So one of the things that they had told us to do is if we had any more of these incidents come up to take a core dump, and then, we could hand that off to them to get an idea of what was actually happening. So it seems that the logs were a little bit lacking, but the core dumps were -- they basically had, like, the moment of truth and that could actually help figure out what the problem was.

 

DAVID BITTNER: I see, and so where do we stand today? Have there been patches issued?

 

JAMIE LEVY: I think it's really just that they've given advice of making sure that you don't have the old configs. If you had updated from Gen Six to Gen Seven and to rotate creds, and if you're really unsure, just try to keep the device offline. But yeah, like, as far as I know, they haven't issued another patch for this.

 

DAVID BITTNER: I see.

 

JAMIE LEVY: Yeah.

 

DAVID BITTNER: Yeah. From a higher level, I mean, is it is it accurate to say that VPN appliances make attractive targets for attackers?

 

JAMIE LEVY: Oh, yeah. I mean, it seems very much so. I mean, it's not equal. Devices are not the only ones that we see getting hit by attackers. So just about every VPN device is basically ripe for the picking. It makes sense because once they gain access there, then they can gain access to things that are internal much easier.

 

DAVID BITTNER: Yeah. Well, what are your recommendations then for organizations to better protect themselves against this sort of thing?

 

JAMIE LEVY: I mean, attack surface reduction as much as you can, making sure that you're up to date, using MFA, turning off -- or turning on like the brute force protection, all of that as much as you can, just to try to reduce that attack surface.

 

DAVID BITTNER: And I suppose it's fair to say that we can expect VPNs to still have a target on their backs in the near future.

 

JAMIE LEVY: Yeah, definitely. [ Music ]

 

DAVID BITTNER: Our thanks to Jamie Levy from Huntress for joining us. The research is titled "Active Exploitation of SonicWall VPNs." We'll have a link in the show notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this month. There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tré Hester. Our Executive Producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.