CyberWire Daily | Research Saturday

Episode Title: "Cracks in the wall."

Date: August 30, 2025
Host: Dave Bittner
Guest: Jamie Levy (Director of Adversary Tactics, Huntress)
Episode Focus: Active exploitation of SonicWall VPN vulnerabilities, threat actor tactics, and recommendations for organizational defense.

Episode Overview

On this Research Saturday, Dave Bittner speaks with Jamie Levy from Huntress about a wave of security incidents involving SonicWall VPN appliances. The conversation centers on the discovery, exploitation, and impact of a significant SonicWall VPN vulnerability—particularly in the context of recent ransomware campaigns. Key technical concepts, detection challenges, and actionable defenses for listeners are discussed in a way that's accessible to both technical and non-technical audiences.

Key Discussion Points & Insights

1. Discovery of Increased Attacks on SonicWall Devices

• Initial Observations:
  • Jamie Levy recounts the early signs of a problem:
    "We started to notice that there was an uptick in incidents that involved Sonic Wallet devices." [02:02]
  • The Huntress team observed a wave of incidents, paralleling recent research by Arctic Wolf.
• Community Collaboration:
  • Similar anomalies reported by multiple organizations highlighted widespread exploitation:
    "Other people were saying that they had it, and we were talking to other researchers and other companies and they were talking about how they had a lot of incidents involving this." [03:02]
  • Association with the Akira ransomware group was a key linkage across cases.

2. The Vulnerability and Its Roots

• Technical Explanation:
  • The core issue arose when organizations upgraded from Gen 6 to Gen 7 SonicWall devices but retained old configurations:
    "It left their credentials still exposed. And so the attackers realized that they could leverage this and gain access, even though they thought they were fully patched." – Jamie Levy [04:08]
• Post-compromise Activity:
  • Attackers used exposed credentials to move laterally, steal further credentials, exfiltrate data, and deploy ransomware:
    "Pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that." [04:50]

3. Scale, Scope, and Attack Philosophy

• Targeting Style:
  • Attacks were broad and opportunistic:
    "We saw all different industries being hit, so I think it was opportunistic." [05:39]
  • Incidents spiked dramatically after Arctic Wolf published its research—suggesting attackers raced to exploit vulnerable systems before defenses were shored up.
    "As soon as Arctic Wolf's research went out ... everything was on fire. Everybody was getting hit by this." [05:39]
• Geographical Spread:
  • While globally distributed, the highest concentration of affected devices was in North America:
    "Overwhelmingly they're in the United States area ... but yeah, as far as our customer base, like we've seen them from all over getting popped." [09:02]

4. Coordinating with SonicWall & Uncertainties

• Vendor Interaction:
  • Huntress worked directly with SonicWall for confirmation and remediation development.
  • Early on, there was uncertainty over which vulnerability was being exploited—suspicions centered on CVE-2024-766:
    "We were in contact with them ... they did seem to think that it was CVE2024766. They weren't really sure at the moment." [09:31]
• Diagnostics:
  • Core dumps (not just logs) were essential for identifying the nature of exploitation.
  • Some edge cases complicated understanding—devices outside typical upgrade paths still showed signs of compromise.

5. Current Status and Vendor Response

• Remediation Guidance:
  • No new patch had been released as of recording.
  • Users are advised to:
    • Not reuse old configurations when upgrading
    • Rotate credentials
    • Remove devices from the network if uncertain
      "They've given advice of making sure that you don't have the old configs. If you had updated from Gen 6 to Gen 7 and to rotate cruds, and if you're really unsure, just to try to keep the device offline." [10:33]

6. Broader Lessons: VPNs as Lucrative Targets

• Why VPNs?
  • VPN appliances are a prime target for attackers due to their privileged position in networks:
    "Just about every VPN device is basically ripe for the picking. Makes sense. Cause once they gain access there, then they can gain access to things that are internal." [11:05]
• Recommended Defenses:
  • Minimize attack surface (expose fewer services)
  • Stay current with patches and updates
  • Employ multi-factor authentication (MFA)
  • Enable brute-force mitigation and monitoring
    "Attack surface reduction as much as you can, making sure that you're up to date, using MFA, turning off or turning on the brute force protection, all of that, as much as you can, just to try to reduce that attack surface." – Jamie Levy [11:33]

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |---------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 02:02 | Jamie Levy | "We started to notice that there was an uptick in incidents that involved Sonic Wallet devices." | | 03:02 | Jamie Levy | "Other people were saying that they had it, and we were talking to other researchers and other companies ... we knew something was up with that." | | 04:08 | Jamie Levy | "It left their credentials still exposed. And so the attackers realized that they could leverage this and gain access, even though they thought they were fully patched." | | 04:50 | Jamie Levy | "Pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that." | | 05:39 | Jamie Levy | "We saw all different industries being hit, so I think it was opportunistic." | | 09:02 | Jamie Levy | "Overwhelmingly they're in the United States area ... we've seen them from all over getting popped." | | 11:05 | Jamie Levy | "Just about every VPN device is basically ripe for the picking. Makes sense. Cause once they gain access there, then they can gain access to things that are internal." | | 11:33 | Jamie Levy | "Attack surface reduction as much as you can, making sure that you're up to date, using MFA ... just to try to reduce that attack surface." | | 11:59 | Jamie Levy | "Yeah, definitely." (on whether VPNs will continue to be targeted) |

Timeline of Important Segments

• [02:02] – Introduction to the uptick in SonicWall-related incidents
• [03:02] – Confirmation of similar incidents by other researchers; possible ransomware involvement
• [04:08] – Technical explanation of the configuration vulnerability
• [04:50] – Attackers’ methods after gaining access
• [05:39] – Assessment of targeting (opportunistic vs. focused)
• [09:02] – Geographic distribution and prevalence
• [09:31] – Coordination with SonicWall and diagnostic process
• [10:33] – Vendor remediation advice and current patch status
• [11:05] – The broader risk landscape for VPNs
• [11:33] – Defensive recommendations for organizations

Tone and Style

The episode maintains an informative, approachable tone, translating technical details into accessible explanations. Jamie Levy’s commentary is candid and pragmatic, emphasizing clear lessons and takeaways for technical teams and cybersecurity leaders alike.

Summary Takeaways

• Recent, active exploitation of SonicWall VPNs stemmed from configuration issues during device upgrades, leading to credential exposure.
• The attacks were primarily opportunistic and spanned multiple industries, with notable acceleration following public disclosure.
• Huntress and other security companies coordinated with SonicWall to diagnose issues, but as of the conversation, only interim mitigation—not new patches—had been released.
• VPN appliances overall remain a favorite attack vector; organizations need to rigorously control configurations, apply multi-factor authentication, and minimize exposure.
• The window between vulnerability disclosure and mass exploitation remains perilously short—underscoring the need for rapid, proactive defenses.