Active Exploitation of SonicWall VPNs

MITRE Techniques

• [T1003] Credential Dumping – Attackers dumped and decrypted credentials from Veeam Backup databases and backed up NTDS.dit for offline cracking (“using wbadmin.exe to back up the NTDS.dit Active Directory database”).
• [T1078] Valid Accounts – Attackers gained administrative access by abusing over-privileged LDAP or SonicWall service accounts (“leveraging an over-privileged LDAP or service account used by the SonicWall device”).
• [T1083] File and Directory Discovery – Enumeration of network and domain information was conducted using tools like Advanced_IP_Scanner and nltest (“Used Advanced_IP_Scanner, nltest.exe to enumerate accounts and trusted domains”).
• [T1112] Modify Registry – Persistence was established by adding registry keys for new user accounts (“reg.exe add … SpecialAccountsUserList”).
• [T1140] Deobfuscate/Decode Files or Information – Attackers used scripts and tools to decrypt stolen credentials (“running scripts to dump and decrypt credentials”).
• [T1185] Man-in-the-Middle – Command and Control established through Cloudflared tunnels and OpenSSH (“deploy Cloudflared tunnels and OpenSSH, often staged out of C:ProgramData”).
• [T1499] Endpoint Denial of Service – Disabling defenses by turning off Microsoft Defender and Windows Firewall with Set-MpPreference and netsh.exe (“using Set-MpPreference to neuter Microsoft Defender and netsh.exe to disable the firewall”).
• [T1562] Impair Defenses – Before ransomware deployment, multiple security controls were disabled (“methodically disable security tools before deploying ransomware”).
• [T1486] Data Encrypted for Impact – Deployment of Akira ransomware after deleting volume shadow copies (“Vssadmin.exe delete shadows /all /quiet” and “deploying what we assess to be Akira ransomware”).