SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials

April 30, 2025

SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials

Episode Transcript

Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016
For the last week, scans for Sonicwall API login and domain endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials.
https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906
The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks
ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates.
https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
Windows RDP Access is Possible with Old Credentials
Credential caching may lead to Windows allowing RDP logins with old credentials.
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, May 1st, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, in Diaries today we have Guy talking about possible exploits for a sonic wall vulnerability. The vulnerability is older. We haven't seen a ton of exploitation for this vulnerability in the past. But all of a sudden we see a huge rise in scans for related endpoints. Now, these endpoints are then also related to login. So it's possible that this could also just be a brute force attack. If you're looking at the frequency of these scans, so we had here on the 25th, 1.5 million scans for this particular config domains URL. But similar numbers were then also seen for other URLs, in particular the logon URL. And that's kind of what suggests that this may actually be a brute force attack. If anybody has any more details and is more familiar with the API here for a sonic wall, it would be interesting to get some insight on this. I did try to find some public documentation, but couldn't really find a good sort of detailed documentation of the different endpoints. And how they could, for example, be used for a brute force attack. But as usual, make sure your edge devices are properly patched and configured. In particular, with strong passwords. An ESET security published an interesting blog post about some malware. They actually did discover quite a while ago, but now they're writing it up. That does use IPv6 in order to gain a machine in the middle position. This malware was mostly targeting China. It was distributed as a Chinese input method plugin for Windows systems. So that's basically how they initially infected the system. Once a system was infected, that system then sent out router advertisements. In IPv6, these router advertisements, well, you can see them as DHCP-Lite. They tell you what IP address to use. They also tell you or optionally tell you what recursive DNS server to use. And that's where this attack gets interesting. So this recursive DNS server is now added to the particular victim's system. Next time they're trying to do a DNS lookup, there's a good chance they're trying to use that IPv6 address, which then the fake router that is on the original sort of first infected host, that particular system is now responding to these DNS requests, essentially spoofing the IPv6 address being used here for DNS. Apparently, the final outcome here is that this particular attack is returning false responses for hostnames related to updates of software. So with that, the attacker is then able to load a malicious update into the victim's system. This is a tricky attack, and there is no sort of great defense here. You could completely disable IPv6. Remember, by default on most operating systems, IPv6 is enabled. It doesn't do really anything until you have a router like this actually assigning you globally routable IPv6 addresses. But what you should definitely do is monitor for a sudden IPv6 use like this. What makes this particular attack a little bit more visible than maybe others is that they're using an IPv6 prefix set aside for documentation. 2001, Delta Bravo 8, that particular IPv6 prefix is not used in real networks. It's meant for examples, for documentation. So that makes it in some ways a little bit more noisy. But if you're not watching for IPv6 traffic in the first place, well, you're going to miss this. And then we have an interesting Microsoft feature that turns well into somewhat of a security problem. And that's a credential caching. When you are connecting to a system via RDP, you may be able to do so even if you change their password using the old password. The problem that Microsoft tried to solve here is to not lock out the user. So if you're losing access to cloud credentials and such due to network instability, for example, you still have the ability to fall back to credentials that were last used with the system. In this case, these cache credentials may be credentials from before you last updated your password. This is, of course, a problem if you update your password in response to a breach or something like this, that RDP access still remains viable to the attacker using the old credentials. Interesting problem. Definitely something if you're using Windows, if you're using RDP to access your systems, that you probably should read up on and look into various ways to either detect or prevent this. The other problem is that there is sort of no real good logging of this particular activity. So it's hard to identify that someone is using cached or outdated credentials. Well, and that's it for today. Thanks for listening and thanks for recommending this podcast. Thanks for liking it. Thanks for leaving good reviews with your favorite podcast platform. If you have any feedback, please let me know in particular if I missed this story. Should have covered something that I didn't or spent too much time on something else. Thanks and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich