Overview

• Arctic Wolf reports dozens of recent incidents where SonicWall SSL VPN logins succeeded on accounts with OTP-based MFA, often after multiple challenges that indicate automated attempts.
• The ongoing activity is tied to CVE-2024-40766, with attackers reusing credentials harvested before remediation; SonicWall has urged full VPN credential resets and upgrades to current SonicOS releases.
• Post-access actions begin within minutes, with internal scanning, Impacket SMB session setup, RDP logins, and Active Directory enumeration, alongside a focus on Veeam backup systems to extract stored credentials.
• Affiliates use Bring-Your-Own-Vulnerable-Driver tactics by abusing consent.exe to sideload DLLs that load vulnerable drivers such as rwdrv.sys and churchill_driver.sys to disable endpoint protections.
• Defenders are advised to monitor for VPN logins from hosting-provider ASNs, block VPS and risky geographies, watch for Impacket SMB activity, and note that some intrusions leveraged installed tools like Datto RMM to blend in.