Threat actors brute-forced SonicWall Gen6 SSL-VPN credentials, bypassed MFA via CVE-2024-12802, and used the access to conduct reconnaissance and prepare ransomware-related tooling. ReliaQuest found the intrusions were likely carried out by an access broker, while SonicWall said Gen6 devices require more than a firmware update to fully fix the issue. #SonicWall #CVE-2024-12802 #ReliaQuest #CobaltStrike #Akira
Keypoints
- Attackers bypassed MFA on SonicWall Gen6 SSL-VPN appliances using CVE-2024-12802.
- Intrusions typically lasted 30 to 60 minutes and included reconnaissance and credential testing.
- ReliaQuest assessed the activity as the first in-the-wild exploitation of CVE-2024-12802.
- SonicWall Gen6 devices need manual LDAP remediation after firmware updates to fully fix the flaw.
- The attacker attempted to deploy Cobalt Strike and a vulnerable driver, but EDR blocked both.