Hackers Exploit SonicWall SSLVPN Credentials to Deploy EDR-Killing Malware
In a recent cybersecurity incident, threat actors have been observed leveraging compromised SonicWall SSLVPN credentials to infiltrate networks and deploy sophisticated malware designed to disable Endpoint Detection and Response (EDR) systems. This tactic effectively blinds security defenses, allowing attackers to operate undetected within compromised environments.
Initial Access Through Compromised Credentials
The attack begins with cybercriminals obtaining valid SonicWall SSLVPN credentials, possibly through phishing campaigns, credential stuffing, or exploiting previously disclosed vulnerabilities. By using legitimate login information, attackers can bypass traditional security measures that would typically flag unauthorized access attempts.
Once authenticated, the attackers gain a foothold within the target network without triggering alarms associated with brute-force attacks or other overt intrusion methods. This stealthy approach underscores the critical importance of robust credential management and the implementation of multi-factor authentication (MFA) to safeguard remote access points.
Deployment of the EDR-Killing Malware
After establishing access, the attackers deploy a malicious payload designed to disable EDR solutions. This malware utilizes a technique known as Bring Your Own Vulnerable Driver (BYOVD), where attackers introduce a legitimate but outdated and vulnerable driver into the system. In this case, the driver in question is a component of Guidance Software’s EnCase forensic suite, specifically the EnPortv.sys driver.
Despite its certificate being revoked in 2010, the driver can still be loaded due to Windows’ handling of driver signature enforcement. Windows primarily checks the cryptographic integrity of the signature and may not consult the Certificate Revocation List (CRL) during the boot process. If the driver was timestamped by a trusted authority before the certificate’s expiration, it meets Microsoft’s legacy exception criteria, allowing it to load successfully.
Once the vulnerable driver is loaded, it provides the attackers with kernel-level access, enabling them to terminate processes protected by mechanisms like Protected Process Light (PPL). The malware specifically targets a list of 59 processes associated with major security vendors, including Microsoft Defender, CrowdStrike, SentinelOne, and Carbon Black. By continuously monitoring and terminating these processes, the malware ensures that security services remain disabled, granting the attackers free rein within the compromised system.
Technical Breakdown of the Attack
The attack sequence involves several sophisticated steps:
1. Credential Compromise: Attackers acquire valid SonicWall SSLVPN credentials through various means, such as phishing or exploiting known vulnerabilities.
2. Network Infiltration: Using the compromised credentials, attackers authenticate to the SSLVPN, gaining access to the internal network.
3. Reconnaissance: Once inside, attackers perform network reconnaissance to map the internal environment, identifying critical systems and security measures in place.
4. Malware Deployment: Attackers deploy a 64-bit Windows executable designed to install the vulnerable EnPortv.sys driver.
5. Driver Loading: The malware drops the driver to a specific location (e.g., C:\ProgramData\OEM\Firmware\OemHwUpd.sys) and registers it as a kernel service named OEM Hardware HAL Service to ensure persistence.
6. EDR Termination: With kernel-level access, the malware continuously terminates security processes associated with EDR solutions, effectively neutralizing the system’s defenses.
Implications and Mitigation Strategies
This attack highlights the evolving tactics of cybercriminals who exploit legitimate tools and credentials to bypass security measures. The use of BYOVD attacks to disable EDR solutions is particularly concerning, as it allows attackers to operate undetected and maintain persistence within compromised networks.
To mitigate such threats, organizations should implement the following strategies:
– Enforce Multi-Factor Authentication (MFA): Adding an extra layer of security to VPN access can prevent unauthorized access, even if credentials are compromised.
– Regularly Update and Patch Systems: Ensure that all software, including drivers, is up-to-date to prevent exploitation of known vulnerabilities.
– Monitor for Anomalous Activity: Implement robust monitoring to detect unusual login patterns, such as access from unfamiliar IP addresses or at odd hours.
– Restrict Privileges: Limit administrative privileges to essential personnel and systems to reduce the potential impact of a compromised account.
– Educate Employees: Conduct regular training on recognizing phishing attempts and the importance of secure credential management.
By adopting these measures, organizations can enhance their security posture and reduce the risk of similar attacks compromising their networks.
