Cyberattackers Exploit SonicWall SSLVPN Vulnerabilities
Recently, cybercriminals have been exploiting vulnerabilities in SonicWall SSLVPN credentials to breach networks, deploying an advanced ‘EDR killer’ to bypass endpoint security systems. This sophisticated attack targets organizations’ defenses, highlighting significant security challenges.
Initial Access via Compromised Credentials
In early February 2026, Huntress analyzed a campaign where attackers gained entry using legitimate VPN credentials. They circumvented typical brute-force methods by leveraging a Bring Your Own Vulnerable Driver (BYOVD) attack with a revoked Guidance Software forensic driver.
This strategy enabled attackers to disable essential security processes at the kernel level, bypassing standard protective measures. The breach commenced when attackers authenticated to a SonicWall SSLVPN with compromised credentials, eliminating the need for forceful entry attempts.
Reconnaissance and Network Mapping Activities
Once inside the network, the attackers quickly began reconnaissance. SonicWall’s Intrusion Prevention System (IPS) detected high-volume activities, such as ICMP ping sweeps and NetBIOS probes. Additionally, the threat actors executed a SYN flood, generating over 370 SYNs per second, to map the internal network environment.
The successful login originated from IP address 69.10.60[.]250, while a failed attempt was recorded from 193.160.216[.]221, wherein the account lacked necessary privileges. This illustrates the attackers’ persistence and tactical approach to network infiltration.
Deployment of EDR Killer
The core aspect of the attack involved deploying a 64-bit Windows executable that installed a malicious kernel driver. The malware authors used a custom encoding tactic, substituting words from a 256-word dictionary to obfuscate the driver payload.
The malware then decoded this text into a valid Windows PE file, dropping it at C:ProgramDataOEMFirmwareOemHwUpd.sys and disguising itself as a legitimate system file. The payload registered as a kernel service, ensuring it survived system reboots.
Exploiting a Windows Driver Signature Enforcement gap, attackers successfully loaded the driver, bypassing revocation checks. This allowed them to terminate processes protected by mechanisms like Protected Process Light (PPL), targeting 59 processes from major security vendors.
Implications and Future Outlook
This attack highlights the critical need for robust security measures against increasingly sophisticated cyber threats. Organizations must ensure their systems are updated and monitor for unusual activities to mitigate such risks. As cyber threats evolve, maintaining strong network defenses and staying informed about emerging vulnerabilities is essential.
