Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks.
During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out.
SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
Researchers at cybersecurity company ReliaQuest responded to multiple intrusions between February and March, and assessed “with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments.”
The researchers noted that, in the environments they investigated, the devices appeared to be patched because they were running the updated firmware, yet they remained vulnerable because the required remediation steps had not been completed.
On Gen7 and Gen8 devices, simply updating to a newer firmware version is enough to fully remove the risk from exploiting CVE-2024-12802.
Exploitation activity
ReliaQuest says that in one incident, the hacker gained access to the internal network and reached a domain-joined file server in as little as half an hour. Then they established a remote connection over RDP using a shared local administrator password.
The researchers found that the attacker tried to deploy a Cobalt Strike beacon, a post-exploitation framework for command-and-control (C2) communication, and a vulnerable driver, likely to disable endpoint protection using the Bring Your Own Vulnerable Driver (BYOVD) technique.
However, the installed endpoint detection and response (EDR) solution blocked the beacon and the loading of the driver.
.jpg)
Source: ReliaQuest
Based on the deliberate log out action and logging in again days later, sometimes using different accounts, the researchers believe that the threat actor is a broker selling initial access to threat groups.
Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts, but the method was not confirmed.
Addressing CVE-2024-12802
The CVE-2024-12802 vulnerability is caused by a missing MFA enforcement for the UPN login format, allowing an attacker with valid credentials to authenticate directly and bypass the MFA requirement.
Gen6 SonicWall devices must be updated with the latest firmware, and then follow the remediation steps detailed in the vendor’s advisory:
- Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field
- Remove locally cached/listed LDAP users
- Remove the configured SSL VPN “User Domain” (reverts to LocalDomain)
- Reboot the firewall
- Recreate the LDAP configuration without userPrincipalName in “Qualified login name”
- Create a fresh backup to avoid restoring the vulnerable LDAP configuration later
The researchers have high confidence that the threat actor behind the analyzed intrusions gained initial access by exploiting the CVE-2024-12802 vulnerability “across multiple sectors and geographies.”
According to ReliaQuest, the rogue login attempts observed in the investigated incidents still appeared as a normal MFA flow in logs, leading defenders to believe that MFA worked even when it failed.
The researchers say that the sess=”CLI” signal is a key indicator of these attacks, which suggests scripted or automated VPN authentication, and recommends that administrators look for it.
Other strong signals are event IDs 238 and 1080, and VPN logins from suspicious VPS/VPN infrastructure.
Given that Gen6 SSL-VPN appliances have reached end-of-life this year on April 16, and no longer receive security updates, it is generally recommended to move to more recent, actively supported versions.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
