SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 1 May 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016
For the last week, scans for Sonicwall API login and domain endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials.
https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906
The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks
ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates.
https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
Windows RDP Access is Possible with Old Credentials
Credential caching may lead to Windows allowing RDP logins with old credentials.
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, May 1st, 2025 edition of the Sands Internet Storms |
| 0:07.0 | Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. |
| 0:13.6 | Well, in Diaries today, we have Guy talking about possible exploits for a sonic wall vulnerability. |
| 0:19.6 | The vulnerability is older. We haven't seen a ton of |
| 0:23.0 | exploitation for this vulnerability in the past, but all of a sudden we see a huge rise in scans |
| 0:29.4 | for related endpoints. Now, these endpoints are then also related to a login. So it's |
| 0:37.0 | possible that this could also just be a brute force attack. |
| 0:42.2 | If you're looking at the frequency of these scans, so we had here on the 25th 1.5 million scans |
| 0:53.1 | for this particular config domains URL, but similar numbers were then also |
| 1:00.5 | seen for other URLs, in particular the log-on URL. And that's kind of what suggests that this may |
| 1:10.8 | actually be a bruteude force attack. |
| 1:13.8 | If anybody has any more details and is more familiar with the API here for the Sonic Wall, |
| 1:21.4 | would be interesting to get some insight on this. |
| 1:23.9 | I did try to find some public documentation, but couldn't really find a good sort of |
| 1:28.6 | detailed documentation of the different endpoints and how they could, for example, be used |
| 1:34.4 | for brute force attack. But as usual, make sure your edge devices are properly patched and |
| 1:42.2 | configured, in particular with strong passwords. |
| 1:46.9 | An ESET security published an interesting blog post about some malware. They actually did |
| 1:53.2 | discover quite a while ago, but now they're writing it up, that does use IPV6 in order to |
| 1:59.7 | gain a machine in the middle position. This malware was mostly |
| 2:05.2 | targeting China. It was distributed as a Chinese input method plugin for Windows systems. |
| 2:13.1 | So that's basically how they initially infected the system. Once a system was infected, that system then sent out a router advertisements. |
... |
Transcript will be available on the free plan in 26 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.