Overview

• A fresh Arctic Wolf report details dozens of recent incidents with successful SSL VPN logins on accounts using OTP MFA, including some devices running recommended SonicOS 7.3 builds.
• Initial access frequently comes from VPS hosting providers, with automated, rapidly repeated login attempts observed across multiple accounts from the same client IP.
• After entry, affiliates scan the network within minutes, use Impacket SMB and RDP, enumerate Active Directory, and target Veeam servers to extract stored credentials, often reaching encryption in under four hours.
• Evasion tactics include a BYOVD technique abusing Microsoft's consent.exe to load vulnerable drivers that disable endpoint protection, plus the repurposing of Datto RMM and existing backup agents to execute commands covertly.
• Defenders are urged to reset all SSL VPN and LDAP/AD synchronization credentials, install current SonicWall firmware, restrict logins from hosting-related ASNs, and monitor for Impacket-style SMB activity and early discovery behavior.