Full Report
Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [...]
Analysis Summary
# Incident Report: MFA Bypass on SonicWall Gen6 SSL-VPN (CVE-2024-12802)
## Executive Summary
Threat actors leveraged a vulnerability (CVE-2024-12802) in SonicWall Gen6 SSL-VPN appliances to bypass Multi-Factor Authentication (MFA) via brute-forced credentials. Despite target organizations having patched firmware, the vulnerability remained exploitable because specific manual LDAP reconfiguration steps were overlooked. The attacks, likely conducted by an Initial Access Broker (IAB), aimed to deploy ransomware tools such as Cobalt Strike but were largely mitigated by EDR solutions.
## Incident Details
- **Discovery Date:** February - March 2026 (Investigation window)
- **Incident Date:** Repeated intrusions throughout early 2026
- **Affected Organization:** Multiple undisclosed organizations
- **Sector:** Cross-sector (including File Services)
- **Geography:** Global / Multiple Geographies
## Timeline of Events
### Initial Access
- **Date/Time:** Variable; intrusions occurred between Feb-Mar 2026.
- **Vector:** Brute-force of VPN credentials paired with an MFA bypass vulnerability (CVE-2024-12802).
- **Details:** Attackers exploited the User Principal Name (UPN) login format, which lacked MFA enforcement, allowing direct authentication with valid credentials.
### Lateral Movement
- **Movement:** Upon gaining VPN access, performers targeted domain-joined file servers.
- **Protocol:** Remote Desktop Protocol (RDP).
- **Credentials:** Used shared local administrator passwords (credential reuse).
### Data Exfiltration/Impact
- **Status:** Potential ransomware precursors.
- **Actions:** Attempted deployment of Cobalt Strike and malicious drivers; however, these were blocked by security controls before data exfiltration occurred.
### Detection & Response
- **Discovery:** ReliaQuest researchers identified intrusions across multiple client environments.
- **Response:** EDR (Endpoint Detection and Response) solutions identified and blocked the execution of post-exploitation tools (Cobalt Strike beacons and BYOVD drivers).
## Attack Methodology
- **Initial Access:** Brute-forcing VPN credentials and exploiting CVE-2024-12802 (MFA Bypass).
- **Persistence:** Logging in periodically with different accounts over several days.
- **Privilege Escalation:** Use of shared local administrator accounts.
- **Defense Evasion:** Use of Bring Your Own Vulnerable Driver (BYOVD) to attempt to disable security software.
- **Credential Access:** Credential brute-forcing and local admin credential reuse.
- **Discovery:** Internal network reconnaissance (30–60 minute sessions).
- **Lateral Movement:** RDP to internal file servers.
- **Collection:** Targeting domain-joined file storage.
- **Exfiltration:** N/A (Blocked).
- **Impact:** Failed ransomware deployment (blocked by EDR).
## Impact Assessment
- **Financial:** Minimal direct loss reported; investigative and remediation costs incurred.
- **Data Breach:** No confirmed data exfiltration in reported cases.
- **Operational:** Minimal disruption, though vulnerable devices required reboots and reconfiguration.
- **Reputational:** Potential impact on SonicWall regarding Gen6 security lifecycle.
## Indicators of Compromise
- **Network indicators:** VPN logins originating from suspicious VPS/VPN infrastructure.
- **File indicators:** Cobalt Strike beacon payloads; unauthorized drivers.
- **Behavioral indicators:**
- Log signal `sess="CLI"` (indicating scripted/automated VPN authentication).
- SonicWall Event IDs **238** and **1080**.
- VPN logs showing MFA success even when MFA was bypassed.
## Response Actions
- **Containment:** Blocking malicious IPs; resetting compromised account passwords.
- **Eradication:** Removing locally cached LDAP users and deleting vulnerable LDAP configurations.
- **Recovery:** Applying firmware updates and performing manual LDAP remediation (deletion of UPN qualified login names and rebooting).
## Lessons Learned
- **Key Takeaway:** Patching firmware is not always sufficient; vendor-specific manual remediation steps (the "Validation Gap") are critical for full mitigation.
- **Visibility:** Standard logs can be deceiving; the logs indicated "MFA worked" when it had actually failed/been bypassed. Defenders must look for more granular signals like CLI session indicators.
## Recommendations
- **Remediation:** Immediately follow the 6-step SonicWall advisory for Gen6 devices, including the deletion of LDAP configurations using `userPrincipalName` and performing a device reboot.
- **Lifecycle Management:** Upgrade Gen6 SSL-VPN appliances to Gen7 or Gen8 models, as Gen6 reached End-of-Life (EOL) on April 16, 2026.
- **Hardening:** Disable/change shared local administrator passwords across the environment to prevent lateral movement via RDP.
- **Monitoring:** Set up alerts for VPN authentication logs containing the `sess="CLI"` string.