Summary6 min read

CyberWire Daily | Research Saturday

Episode Title: "Cracks in the wall."

Date: August 30, 2025
Host: Dave Bittner
Guest: Jamie Levy (Director of Adversary Tactics, Huntress)
Episode Focus: Active exploitation of SonicWall VPN vulnerabilities, threat actor tactics, and recommendations for organizational defense.

Episode Overview

On this Research Saturday, Dave Bittner speaks with Jamie Levy from Huntress about a wave of security incidents involving SonicWall VPN appliances. The conversation centers on the discovery, exploitation, and impact of a significant SonicWall VPN vulnerability—particularly in the context of recent ransomware campaigns. Key technical concepts, detection challenges, and actionable defenses for listeners are discussed in a way that's accessible to both technical and non-technical audiences.

Key Discussion Points & Insights

1. Discovery of Increased Attacks on SonicWall Devices

Initial Observations:
- Jamie Levy recounts the early signs of a problem:
  "We started to notice that there was an uptick in incidents that involved Sonic Wallet devices." [02:02]
- The Huntress team observed a wave of incidents, paralleling recent research by Arctic Wolf.
Community Collaboration:
- Similar anomalies reported by multiple organizations highlighted widespread exploitation:
  "Other people were saying that they had it, and we were talking to other researchers and other companies and they were talking about how they had a lot of incidents involving this." [03:02]
- Association with the Akira ransomware group was a key linkage across cases.

2. The Vulnerability and Its Roots

Technical Explanation:
- The core issue arose when organizations upgraded from Gen 6 to Gen 7 SonicWall devices but retained old configurations:
  "It left their credentials still exposed. And so the attackers realized that they could leverage this and gain access, even though they thought they were fully patched." – Jamie Levy [04:08]
Post-compromise Activity:
- Attackers used exposed credentials to move laterally, steal further credentials, exfiltrate data, and deploy ransomware:
  "Pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that." [04:50]

3. Scale, Scope, and Attack Philosophy

Targeting Style:
- Attacks were broad and opportunistic:
  "We saw all different industries being hit, so I think it was opportunistic." [05:39]
- Incidents spiked dramatically after Arctic Wolf published its research—suggesting attackers raced to exploit vulnerable systems before defenses were shored up.
  "As soon as Arctic Wolf's research went out ... everything was on fire. Everybody was getting hit by this." [05:39]
Geographical Spread:
- While globally distributed, the highest concentration of affected devices was in North America:
  "Overwhelmingly they're in the United States area ... but yeah, as far as our customer base, like we've seen them from all over getting popped." [09:02]

4. Coordinating with SonicWall & Uncertainties

Vendor Interaction:
- Huntress worked directly with SonicWall for confirmation and remediation development.
- Early on, there was uncertainty over which vulnerability was being exploited—suspicions centered on CVE-2024-766:
  "We were in contact with them ... they did seem to think that it was CVE2024766. They weren't really sure at the moment." [09:31]
Diagnostics:
- Core dumps (not just logs) were essential for identifying the nature of exploitation.
- Some edge cases complicated understanding—devices outside typical upgrade paths still showed signs of compromise.

5. Current Status and Vendor Response

Remediation Guidance:
- No new patch had been released as of recording.
- Users are advised to:
  - Not reuse old configurations when upgrading
  - Rotate credentials
  - Remove devices from the network if uncertain
    "They've given advice of making sure that you don't have the old configs. If you had updated from Gen 6 to Gen 7 and to rotate cruds, and if you're really unsure, just to try to keep the device offline." [10:33]

6. Broader Lessons: VPNs as Lucrative Targets

Why VPNs?
- VPN appliances are a prime target for attackers due to their privileged position in networks:
  "Just about every VPN device is basically ripe for the picking. Makes sense. Cause once they gain access there, then they can gain access to things that are internal." [11:05]
Recommended Defenses:
- Minimize attack surface (expose fewer services)
- Stay current with patches and updates
- Employ multi-factor authentication (MFA)
- Enable brute-force mitigation and monitoring
  "Attack surface reduction as much as you can, making sure that you're up to date, using MFA, turning off or turning on the brute force protection, all of that, as much as you can, just to try to reduce that attack surface." – Jamie Levy [11:33]

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |---------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 02:02 | Jamie Levy | "We started to notice that there was an uptick in incidents that involved Sonic Wallet devices." | | 03:02 | Jamie Levy | "Other people were saying that they had it, and we were talking to other researchers and other companies ... we knew something was up with that." | | 04:08 | Jamie Levy | "It left their credentials still exposed. And so the attackers realized that they could leverage this and gain access, even though they thought they were fully patched." | | 04:50 | Jamie Levy | "Pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that." | | 05:39 | Jamie Levy | "We saw all different industries being hit, so I think it was opportunistic." | | 09:02 | Jamie Levy | "Overwhelmingly they're in the United States area ... we've seen them from all over getting popped." | | 11:05 | Jamie Levy | "Just about every VPN device is basically ripe for the picking. Makes sense. Cause once they gain access there, then they can gain access to things that are internal." | | 11:33 | Jamie Levy | "Attack surface reduction as much as you can, making sure that you're up to date, using MFA ... just to try to reduce that attack surface." | | 11:59 | Jamie Levy | "Yeah, definitely." (on whether VPNs will continue to be targeted) |

Timeline of Important Segments

[02:02] – Introduction to the uptick in SonicWall-related incidents
[03:02] – Confirmation of similar incidents by other researchers; possible ransomware involvement
[04:08] – Technical explanation of the configuration vulnerability
[04:50] – Attackers’ methods after gaining access
[05:39] – Assessment of targeting (opportunistic vs. focused)
[09:02] – Geographic distribution and prevalence
[09:31] – Coordination with SonicWall and diagnostic process
[10:33] – Vendor remediation advice and current patch status
[11:05] – The broader risk landscape for VPNs
[11:33] – Defensive recommendations for organizations

Tone and Style

The episode maintains an informative, approachable tone, translating technical details into accessible explanations. Jamie Levy’s commentary is candid and pragmatic, emphasizing clear lessons and takeaways for technical teams and cybersecurity leaders alike.

Summary Takeaways

Recent, active exploitation of SonicWall VPNs stemmed from configuration issues during device upgrades, leading to credential exposure.
The attacks were primarily opportunistic and spanned multiple industries, with notable acceleration following public disclosure.
Huntress and other security companies coordinated with SonicWall to diagnose issues, but as of the conversation, only interim mitigation—not new patches—had been released.
VPN appliances overall remain a favorite attack vector; organizations need to rigorously control configurations, apply multi-factor authentication, and minimize exposure.
The window between vulnerability disclosure and mass exploitation remains perilously short—underscoring the need for rapid, proactive defenses.

Loading summary

Transcript40 lines

[00:02]
Announcer
You're listening to the Cyberwire network.
[00:04]
Dave Bittner
Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington, D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber innovation. Visit DMVrising.com to secure your spot. Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[02:02]
Jamie Levy
So we started to notice that there was an uptick in incidents that involved Sonic Wallet devices. It actually started probably like a week or so before Arctic Wolf came out with their research.
[02:17]
Dave Bittner
That's Jamie Levy, Director of Adversary Tactics at Huntress. The research we're discussing today is titled active exploitation of SonicWall VPNs.
[02:34]
Jamie Levy
So as we started to notice that we had more and more incidents, we started to dig into it and then we saw their research come out and then we realized that, yes, it was probably a part of what was going on there.
[02:46]
Dave Bittner
Yeah, it's funny how that can happen sometimes, right? Somebody is independently on the same path and you might not know it at the time, Correct? Yeah. So what tipped you off that this was not a routine vulnerability report, but there was something more active and urgent?
[03:02]
Jamie Levy
Well, we started to notice that there were a lot of incidents involving SonicWall devices. And so it looked as if maybe there was some kind of vulnerability involved, just because we started to get so many more of these incidents involving that. And then other people were saying that they had it and we were talking to other researchers and other companies and they were talking about how they had a lot of incidents involving this. And so we knew something was up with that. And it was also we figured out that it was pretty much the same group. A lot of times these were ending up with Akira Ransomware and so since it was the same types of exploitation, we figured out that this group knew about this exploit and was leveraging it pretty heavily.
[03:58]
Dave Bittner
I see. Well, for our listeners who may not be deeply technical, can you explain to us what exactly this SonicWall VPN vulnerability is all about?
[04:08]
Jamie Levy
Yeah. So this particular vulnerability, the thing that was actually the biggest problem with it was that people had upgraded from a generation six SonicWall device to a generation seven, and they kept the same configs. And unfortunately, when they did this, it left their credentials still exposed. And so the attackers realized that they could leverage this and gain access, even though they thought that they were fully patched.
[04:42]
Dave Bittner
Oh, that's interesting. So once the attackers had access, what were they able to do inside the compromised network?
[04:50]
Jamie Levy
So at that point, they would often gain access to other machines on the inside. So that could be credential stuffing or reused passwords. Basically, they would gain access to various machines and then steal credentials on that side, do lateral movement, do exfiltration of data, and then ultimately they would deploy ransomware at the end. But, yeah, pretty much they just came in, grabbed everything as quickly as they could, and then deployed ransomware as quickly as they could after that.
[05:31]
Dave Bittner
In terms of their targeting, does it strike you that it's opportunistic, or were they really focusing on certain industries or organizations?
[05:40]
Jamie Levy
It seemed to be all over the place. I mean, we saw all different industries being hit, so I think it was opportunistic. But I feel like it really ramped up even more after people were aware that this was happening. I mean, we saw glyphs of it. Like, once we knew what was going on, we went back and looked at previous incidents, and we could see that there were incidents even as far back as May that seemed to fit the same pattern, but it wasn't nearly as often. But as soon as Arctic Wolf's research went out, all of a sudden it was just like everything was on fire. Everybody was getting hit by this. And I don't know if it's just probably the attackers realize, like, there's maybe a moment, you know, where they're going to lose this type of access, and so they just really started to ramp up.
[06:32]
Dave Bittner
Right. The clock is ticking, so get while the getting's good. Interesting. We'll be right back. Race the rudders, race the sails, Race the sails. Captain, an unidentified ship is approaching. Roger. Wait, is that an enterprise sales solution?
[06:56]
Commercial Voice
Reach sales professionals, not professional sailors. With LinkedIn ads, you can target the right people by industry, job title, and more. We'll even give you a $100 credit on your next campaign. Get started today at LinkedIn.com results terms and conditions apply.
[07:16]
Announcer
Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to rel and reconnect while also staying in control. Enjoy the drive in blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E available feature on equipped vehicles Terms apply Does not replace safe driving. See ford.combluecruise for more details.
[07:48]
Dave Bittner
In terms of scale and scope here. I mean how, how widespread do you believe this is?
[07:56]
Jamie Levy
That's a good question. So I feel like people still don't have like a good handle on this because we're still seeing incidents involving Sonic Wall devices and we, we did have one customer who came and they were hit but with a sonic wall vulnerability. But they said that their device did not fit this criteria. It wasn't a Gen 6 to Gen 7 up roll. It basically was a device that I think it was a fortinet device that had. That they had installed Gen 7 SonicWA on and it still got popped. And so there are some questions about whether or not this vulnerability actually is. Is what, what, what this underlying cause is.
[08:50]
Dave Bittner
Yeah. Is there any geographic concentration or are they going after folks in a certain part of the world or does it seem all around is a global issue?
[09:03]
Jamie Levy
I believe it's a global issue, but if you just kind of scan to see like where most of these Sonic wall devices are, I mean overwhelmingly they're in the United States area. Right. North American area. Just, just by default. But, but yeah, I mean like as far as our customer base, like we've seen them from all over getting popped.
[09:24]
Dave Bittner
I see. Now did you all coordinate with Sonicwall in, in terms of getting the vulnerability confirmed?
[09:32]
Jamie Levy
Yes, we did. We were in contact with them and it basically we were trying to figure out what were the logs that we should pull. Was there anything else? We were also trying to help them figure out what the problem was because initially they weren't really sure. They did seem to think that it was CVE2024766. They weren't really sure at the moment and that was back when we spoke with them on Monday of last week, August 4th. So one of the things that they had told us to do is if we had any more of these, these incidents come up to take a core dump and then we could hand that off to them to, to get an idea of what was actually happening. So it seemed that the logs were a little bit lacking but the core dumps were they. They basically had like the. The moment of truth in them that could actually help figure out what the problem was.
[10:28]
Dave Bittner
I see. And so where do we stand today? Have there been patches issued?
[10:33]
Jamie Levy
I think it's really just that they've given advice of making sure that you don't have the old configs. If you had updated from Gen 6 to Gen 7 and to rotate cruds, and if you're really unsure, just to try to keep the device offline. But yeah, like as far as I know, they haven't issued another patch for this.
[10:53]
Dave Bittner
I see.
[10:55]
Jamie Levy
Yeah.
[10:55]
Dave Bittner
Yeah. From a higher level, I mean, is it accurate to say that VPN appliances make attractive targets for attackers?
[11:06]
Jamie Levy
Oh, yeah. I mean, it seems very much so. I mean, Sonic wall devices are not the only ones that we see getting hit by attackers. So just about every VPN device is basically ripe for the picking. Makes sense. Cause once they gain access there, then they can gain access to things that are internal. Much easier.
[11:27]
Dave Bittner
Yeah. What are your recommendations then, for organizations to better protect themselves against this sort of thing?
[11:34]
Jamie Levy
I mean, attack surface reduction as much as you can, making sure that you're up to date, using mfa, turning off or turning on like the brute force protection, all of that, as much as you can, just to try to reduce that attack surface.
[11:52]
Dave Bittner
And I suppose it's fair to say that we can expect VPNs to still have a target on their backs in the near future.
[12:00]
Jamie Levy
Yeah, definitely.
[12:12]
Dave Bittner
Our thanks to Jamie Levy from Huntress for joining us. The research is titled Active Exploitation of Sonic Wall VPNs. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this month. There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
[13:00]
Commercial Voice
New season, new chaos in college football.
[13:03]
Dave Bittner
Big stage, big opportunity.
[13:05]
Commercial Voice
This Labor Day weekend, wildness lives on ABC, ESPN and the all new ESPN app.
[13:09]
Dave Bittner
What a way to start.
[13:11]
Commercial Voice
Featuring top 10 teams like Clemson, Notre Dame, Dame, Alabama and LSU. And Bill Belichick's debut at North Carolina.
[13:17]
Dave Bittner
It's so special.
[13:18]
Commercial Voice
These teams collide don't miss a lineup filled with electric matchups. Welcome back to College Football Kickoff Week, presented by Modelo Labor Day Weekend on ESPN and abc. Also available to stream on the all new ESPN Applied.