SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9432.mp3

previous

Sonicwall Attacks; Cached Windows RDP Credentials

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, May 1st, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Well, in Diaries today we have Guy
 talking about possible exploits for a sonic wall
 vulnerability. The vulnerability is older. We
 haven't seen a ton of exploitation for this
 vulnerability in the past. But all of a sudden we see a huge
 rise in scans for related endpoints. Now, these
 endpoints are then also related to login. So it's
 possible that this could also just be a brute force attack.
 If you're looking at the frequency of these scans, so
 we had here on the 25th, 1.5 million scans for this
 particular config domains URL. But similar numbers were then
 also seen for other URLs, in particular the logon URL. And
 that's kind of what suggests that this may actually be a
 brute force attack. If anybody has any more details and is
 more familiar with the API here for a sonic wall, it
 would be interesting to get some insight on this. I did
 try to find some public documentation, but couldn't
 really find a good sort of detailed documentation of the
 different endpoints. And how they could, for example, be
 used for a brute force attack. But as usual, make sure your
 edge devices are properly patched and configured. In
 particular, with strong passwords. An ESET security
 published an interesting blog post about some malware. They
 actually did discover quite a while ago, but now they're
 writing it up. That does use IPv6 in order to gain a
 machine in the middle position. This malware was
 mostly targeting China. It was distributed as a Chinese input
 method plugin for Windows systems. So that's basically
 how they initially infected the system. Once a system was
 infected, that system then sent out router
 advertisements. In IPv6, these router advertisements, well,
 you can see them as DHCP-Lite. They tell you what IP address
 to use. They also tell you or optionally tell you what
 recursive DNS server to use. And that's where this attack
 gets interesting. So this recursive DNS server is now
 added to the particular victim's system. Next time
 they're trying to do a DNS lookup, there's a good chance
 they're trying to use that IPv6 address, which then the
 fake router that is on the original sort of first
 infected host, that particular system is now responding to
 these DNS requests, essentially spoofing the IPv6
 address being used here for DNS. Apparently, the final
 outcome here is that this particular attack is returning
 false responses for hostnames related to updates of
 software. So with that, the attacker is then able to load
 a malicious update into the victim's system. This is a
 tricky attack, and there is no sort of great defense here.
 You could completely disable IPv6. Remember, by default on
 most operating systems, IPv6 is enabled. It doesn't do
 really anything until you have a router like this actually
 assigning you globally routable IPv6 addresses. But
 what you should definitely do is monitor for a sudden IPv6
 use like this. What makes this particular attack a little bit
 more visible than maybe others is that they're using an IPv6
 prefix set aside for documentation. 2001, Delta
 Bravo 8, that particular IPv6 prefix is not used in real
 networks. It's meant for examples, for documentation.
 So that makes it in some ways a little bit more noisy. But
 if you're not watching for IPv6 traffic in the first
 place, well, you're going to miss this. And then we have an
 interesting Microsoft feature that turns well into somewhat
 of a security problem. And that's a credential caching.
 When you are connecting to a system via RDP, you may be
 able to do so even if you change their password using
 the old password. The problem that Microsoft tried to solve
 here is to not lock out the user. So if you're losing
 access to cloud credentials and such due to network
 instability, for example, you still have the ability to fall
 back to credentials that were last used with the system. In
 this case, these cache credentials may be credentials
 from before you last updated your password. This is, of
 course, a problem if you update your password in
 response to a breach or something like this, that RDP
 access still remains viable to the attacker using the old
 credentials. Interesting problem. Definitely something
 if you're using Windows, if you're using RDP to access
 your systems, that you probably should read up on and
 look into various ways to either detect or prevent this.
 The other problem is that there is sort of no real good
 logging of this particular activity. So it's hard to
 identify that someone is using cached or outdated
 credentials. Well, and that's it for today. Thanks for
 listening and thanks for recommending this podcast.
 Thanks for liking it. Thanks for leaving good reviews with
 your favorite podcast platform. If you have any
 feedback, please let me know in particular if I missed this
 story. Should have covered something that I didn't or
 spent too much time on something else. Thanks and
 talk to you again tomorrow. Bye.