CyberWire Daily Cracks in the wall. [Research Saturday]
9 snips
Aug 30, 2025 Jamie Levy, Director of Adversary Tactics at Huntress, unveils alarming details about the active exploitation of SonicWall VPNs. She discusses how attackers bypass MFA and pivot to domain controllers, deploying Akira ransomware. The chat covers techniques like credential theft and using legitimate drivers for attacks, highlighting the urgent need for organizations to restrict VPN access and hunt for indicators of compromise. Levy emphasizes that cybersecurity is a collaborative effort, with research communities playing a crucial role in combating these evolving threats.
AI Snips
Chapters
Transcript
Episode notes
Spike In SonicWall Incidents Led To Ransomware
- Huntress noticed an uptick in incidents involving SonicWall devices and linked them to the same attacker group.
- Many of these incidents culminated in Akira ransomware deployments after internal lateral movement and credential theft.
Upgrades Can Leave Dangerous Legacy Configs
- Upgrading from Gen 6 to Gen 7 while keeping old configs left credentials exposed despite appearing patched.
- Attackers exploited this leftover configuration to gain access to networks that believed they were protected.
Scope Is Bigger Than The Known Patch Pattern
- The full scope remains unclear because incidents keep appearing and some victims don't match the Gen6→Gen7 pattern.
- This suggests either multiple exploitation vectors or incomplete visibility into the attacks.