InfoSecBulletin Cybersecurity for mankind
Threat actors guessed VPN passwords and got around multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN devices to use tools for ransomware attacks.
During the break-ins, the hacker spent 30 to 60 minutes logging in, checking the network, testing old passwords in internal systems, and logging out.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
SonicWall said in a security notice for CVE-2024-12802 that just installing the firmware update on Gen6 devices won’t completely solve the problem. You also need to manually change the LDAP server settings. If you don’t, there is a risk of getting around MFA protection.
Researchers at the security company ReliaQuest dealt with several attacks from February to March. They believe, with some certainty, that it is the first time CVE-2024-12802 was used in the wild, affecting SonicWall devices in different settings.
The researchers saw that in the places they studied, the devices looked updated as they had the new firmware, but they were still weak because the needed fixes were not done.
On Gen7 and Gen8 devices, simply updating to a newer firmware version is enough to fully remove the risk from exploiting CVE-2024-12802.
Exploitation activity
ReliaQuest says that in one case, the hacker got into the internal network and accessed a file server in just thirty minutes. Then they set up a remote connection using a shared local admin password.
The researchers discovered that the attacker tried to use a Cobalt Strike beacon, which is a tool for controlling systems after a breach. They also found a weak driver that might be used to turn off endpoint protection with the Bring Your Own Vulnerable Driver (BYOVD) method.
The endpoint detection and response (EDR) system stopped the beacon and the driver from loading.
The researchers think that the person behind the attacks is a broker. This is based on how they log out and then log back in days later, sometimes with different accounts.
Addressing CVE-2024-12802
The CVE-2024-12802 vulnerability happens because MFA is not enforced for UPN logins. This allows an attacker with valid credentials to log in directly and skip the MFA check.
Gen6 SonicWall devices need the latest firmware update, and then complete the steps for fixing issues as given in the vendor’s advisory:
Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field
Remove locally cached/listed LDAP users
Remove the configured SSL VPN “User Domain” (reverts to LocalDomain)
Reboot the firewall
Recreate the LDAP configuration without userPrincipalName in “Qualified login name”
Create a fresh backup to avoid restoring the vulnerable LDAP configuration later
The researchers have high confidence that the threat actor behind the analyzed intrusions gained initial access by exploiting the CVE-2024-12802 vulnerability “across multiple sectors and geographies.”
