TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Active Exploitation of SonicWall VPNs

2025-08-13 · Read original ↗

ATT&CK techniques detected

17 predictions
T1486Data Encrypted for Impact
98%
"cracking. - disable defenses : before deploying ransomware, they methodically disable security tools. this includes using built - in windows tools like set - mppreference to neuter microsoft defender and netsh. exe to disable the firewall. - deploy ransomware : the final objectiv…"
T1068Exploitation for Privilege Escalation
97%
"active exploitation of sonicwall vpns update # 4 : 8 / 13 / 25 @ 5pm et updated to note the use of the - dellog argument in akira attacks as a way to clear event logs ( see “ akira ransomware invocation ” section ) ; updated ioc table with additional hashes. _ _ _ _ _ _ _ _ _ _ _…"
T1190Exploit Public-Facing Application
96%
"high - severity incidents originating from sonicwall seventh - generation firewall appliances. this isn ' t isolated. we ' re seeing this alongside our peers at arctic wolf and other security firms. the speed and success of these attacks — even against environments with mfa enabl…"
T1059.001PowerShell
94%
"\ system32 \ systemsettingsadminflows. exe " defender disableenhancednotifications 1 netsh advfirewall firewall add rule name = " allow remotedesktop " dir = in protocol = tcp localport = 3389 action = allow new - netfirewallrule - name sshd - displayname ' openssh server ( sshd …"
T1059.001PowerShell
93%
", in order to impair investigations : powershell. exe - ep bypass - command " get - winevent - listlog * | where { $ _. recordcount } | foreach - object - process { [ system. diagnostics. eventing. reader. eventlogsession ] : : globalsession. clearlog ( $ _. logname ) } " what yo…"
T1190Exploit Public-Facing Application
88%
"your port may differ if you ' ve changed the settings of your device. meanwhile, sonicwall has released a security advisory about the threat activity. the advisory was updated on august 6 to include new mitigation steps and to clarify that seventh - generation and newer sonicwall…"
T1219Remote Access Tools
76%
"exfiltration the most interesting of the following commands is the winrar execution. this command was executed on six different machines with identical command lines, with the only difference being the source or target drives in some cases : " c : \ program files \ winrar \ winra…"
T1059.001PowerShell
66%
"windows \ system32 \ ping. exe " 192. 168. xx. xxx " c : \ windows \ system32 \ nltest. exe " / dclist : " c : \ users \ [ redacted ] \ documents \ advanced _ port _ scanner _ 2. 5. 3869. exe " install - windowsfeature rsat - ad - powershell get - adcomputer - filter * - property…"
T1059.001PowerShell
50%
"the following evasive and lateral movement techniques : credential harvesting cmd. exe / q / c copy \ " c : \ users \ [ redacted ] \ appdata \ local \ microsoft \ edge \ user data \ default \ login data " " c : \ windows \ temp \ 1753954887. 8450267 " " c : \ windows \ system32 \…"
T1490Inhibit System Recovery
50%
"one of these incidents, on july 25, we detected an intrusion where activity originated from a sonicwall device. here, the threat actor carried out a number of malicious activities, attempting to delete volume shadow copies via wmi ( powershell. exe - command " get - wmiobject win…"
T1003.003NTDS
48%
", lateral movement, and credential theft. post - exploitation : a well - worn path once on the network, the attackers don ' t waste time. their actions are a mix of automated scripts for speed and hands - on - keyboard activity for precision. we ' ve seen them : - abuse privilege…"
T1003OS Credential Dumping
44%
"as well as installing various persistence mechanisms like new accounts, ssh, or full - blown rmms like anydesk. figure 1 : visualization of timeline of attacks we will try to break down various parts of each of the attacks we ’ ve seen so far by category in no particular order. c…"
T1078.002Domain Accounts
35%
", lateral movement, and credential theft. post - exploitation : a well - worn path once on the network, the attackers don ' t waste time. their actions are a mix of automated scripts for speed and hands - on - keyboard activity for precision. we ' ve seen them : - abuse privilege…"
T1490Inhibit System Recovery
35%
"cracking. - disable defenses : before deploying ransomware, they methodically disable security tools. this includes using built - in windows tools like set - mppreference to neuter microsoft defender and netsh. exe to disable the firewall. - deploy ransomware : the final objectiv…"
T1486Data Encrypted for Impact
34%
"\ system32 \ systemsettingsadminflows. exe " defender disableenhancednotifications 1 netsh advfirewall firewall add rule name = " allow remotedesktop " dir = in protocol = tcp localport = 3389 action = allow new - netfirewallrule - name sshd - displayname ' openssh server ( sshd …"
T1584.008Network Devices
33%
"high - severity incidents originating from sonicwall seventh - generation firewall appliances. this isn ' t isolated. we ' re seeing this alongside our peers at arctic wolf and other security firms. the speed and success of these attacks — even against environments with mfa enabl…"
T1584.008Network Devices
32%
"official guidance and is urging customers ( who have imported configurations from gen 6 to newer firewalls ) to : - update firmware to version 7. 3. 0 - reset all local user account passwords for accounts with ssl vpn access huntress recommends that impacted organizations rotate …"

Summary

A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing threat actors pivot directly to domain controllers within hours of the initial breach.