A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential theft. Attackers quickly gain administrative access, establish command and control, move laterally, disable defenses, and deploy Akira ransomware. The threat actors use a mix of automated scripts and manual activity, abusing privileged accounts and utilizing various tools for persistence and data exfiltration. Immediate action is advised, including disabling SonicWall VPN access or severely restricting it, auditing service accounts, and hunting for malicious activity using provided indicators of compromise. Author: AlienVault
Related Tags:
T1021.006
mfa bypass
lateral movement
T1070.001
T1021.002
Zero-Day
VPN
Akira
T1059.001
Associated Indicators:
192.151.154.122
181.215.182.64
193.239.236.149
45.86.208.240
42.252.99.59
104.238.220.216
77.247.126.239
104.238.205.105
194.33.45.155