Technical analysis of LockBit 2.0 affiliates’ SonicWall exploit that bypasses MFA
We outline the tactics, techniques and procedures of the threat actor, and share the technical details of the indicators of compromise for one of our incident response experiences in 1H2022.

In the previous blog post, we reported on the novel technique leveraged by LockBit 2.0 affiliates to exploit SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSL VPN) appliance to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the multi-factor authentication (MFA) access control. We identified at the point in time from open source internet search engines that over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances.
We follow-up on that blog post with a technical analysis that outlines the LockBit 2.0 affiliates’ Tactics, Techniques and Procedures (TTPs) as observed in our incident response experiences. In addition, we set the scene for our final blog post which will explore the potential factors that enables the LockBit Ransomware-as-a-Service (RaaS) group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.
Analysis and Exploitation in the wild
Reconnaissance
We observed through analysis on the SSLVPN appliance and firewall network traffic logs that either CVE-2019-7481
or CVE-2021-20028
was exploited twice prior to initial access. The first recorded instance was in late 2021, in which the affiliate obtained the credentials of an administrative account. We conclude this with high confidence given this credential had not been leaked via data breaches or to the Dark Web previously, while the user had adopted a strong password given its length and use of four password complexity character classes.
Over the next three months, each login attempt originated from a unique external IP address and were unsuccessful due to the enforcement of MFA. The exploit was executed again prior to successful initial access, again from a different IP address. The use of a different external IP address each time spread over a sporadic timeframe is a strong indication of likely malicious intent by a threat actor that sought to remain stealthy to avoid detection and triggering of the victim’s incident response protocols.
The list of known malicious IP addresses are listed below, and we posit with high confidence they are utilised by the same threat actor for the following reasons:
91.219.212[.]214
– the first observed exploiting an SQLi vulnerability. This IP address has been reported multiple times as malicious from reputable sources to have conducted suspicious malicious activities, including spam, brute-forcing, web application abuse, and vulnerability exploitation.[1]5.206.224[.]246
– the first unsuccessful attempt to login as an administrative user, suggesting that this IP address is associated with91.219.212[.]214
to obtain and utilise the strong and complex password.51.91.221[.]111
– which resolves to213.186.33[.]5
and has been flagged by the security community to be malicious and has served as a command-and-control infrastructure, i.e., Cobalt Strike server.[2]194.195.91[.]29
– the second observed exploitation of the SQLi vulnerability, with the subsequent login attempt being successful, indicating that the threat actor likely had chained it with the undisclosed zero-day vulnerability.
Initial Access
The threat actor gained access to the victim network by chaining an SQLi vulnerability – one of CVE-2019-7481
or CVE-2021-20028
– with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSLVPN. Details of the vulnerability chaining are illustrated in the below diagram.

Through our systematic method for discovering and analysing attack paths, we were able to replicate the exploited zero-day vulnerability performed by the threat actor. A summary of the undisclosed post-authentication local file inclusion zero-day vulnerability is provided below:
CVE(s) | CVE-2022-22279 |
First Published Date | 11 March 2022 |
CVSS v3 | 4.9 |
Affected Versions | SonicWall SMA100 version 9.0.0.9-26sv and earlier.[3] |
Description | Post-authentication vulnerability that enables threat actors to download the persist.db database on their local device by targeting endpoint’s /cgi-bin/sslvpnclient. extract valid user credentials from the settings.json file, including the username, encrypted passwords, and the TOTP.[4] |
Potential Impact | Sensitive information disclosure that enables threat actors to circumvent the MFA access control to impersonate valid users and obtain initial access to the victim’s network. |
Proof of Concept (PoC) Available | At the time of writing, there were no publicly available PoCs identified. DarkLab reported the security vulnerability along with their PoC exploit code to SonicWall’s Product Security Incident Response Team (PSIRT), and on 12 April 2022 observed the release of the advisory acknowledging the vulnerability which we had disclosed. |
Exploited in the Wild | At the time of writing, this vulnerability is not known to be exploited in the wild. |
Patch Available | No |
Workaround Available | No |
However, the threat actor required valid user credentials to exploit the post-authentication zero-day vulnerability. Based on this requirement and the victim’s firmware, we identified to two pre-authentication SQLi vulnerabilities – CVE-2019-7841
and CVE-2021-20028
– that the threat actor may have leveraged to obtain a valid session. A summary of these vulnerabilities are provided below:
CVE(s) | CVE-2019-7841 |
First Published Date | 18 December 2019 |
CVSS v3 | 7.5 |
Affected Versions | Per SonicWall’s PSIRT, SMA100 version 9.0.0.3 and earlier.[5] However, we noted from a cybersecurity consultancy firm that devices with version 9.0.0.5 firmware and earlier were still vulnerable.[6] |
Description | Pre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[7] |
Potential Impact | Sensitive information disclosure and initial access under the right conditions (i.e., no MFA access control). |
Proof of Concept (PoC) Available | At the time of writing, there were no publicly available PoCs identified. However, security researchers have reportedly reproduced the exploit based on samples obtained from in-the-wild exploitation.[8] |
Exploited in the Wild | This vulnerability has been actively exploited in the wild reportedly since 8 June 2021.[9] SonicWall’s PSIRT published a notification on 13 July 2021 detailing an incident leveraging this vulnerability to perform a targeted ransomware attack.[10] |
Patch Available | Yes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[11] |
Workaround Available | No |
CVE(s) | CVE-2021-20028 |
First Published Date | 14 July 2021 |
CVSS v3 | 9.8 |
Affected Versions | SonicWall SRA appliances running all 8.x firmware, an old version of firmware 9.x (9.0.0.9-26sv or earlier), or version 10.2.0.7.[12] However, we noted from a cybersecurity consultancy firm that devices with version 10.x firmware were potentially vulnerable.[13] |
Description | Pre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[14] |
Potential Impact | Sensitive information disclosure and initial access under the right conditions (i.e., no MFA access control). |
Proof of Concept (PoC) Available | Per Twitter trails, we understand that the PoC was leaked on paste bins[15] by an alleged DarkSide and LockBit affiliate that goes by the name “Wazawaka” on 25 January 2022.[16] While the leak site is now inaccessible, we noted that security researchers have reportedly reproduced the exploit. [17], [18], and [19] |
Exploited in the Wild | No known mass exploitation in the wild. |
Patch Available | Yes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[20] |
Workaround Available | No |
Establishing Persistence
Upon login via the built-in SonicWall SRA SSLVPN administrative account, the threat actor did not require to perform privilege escalation as the threat actor obtained an account which, under the configurations at the time, was integrated with the victim’s Active Directory, and had been assigned domain administrator privileges. Thus, the threat actor cemented their position was to create an Active Directory account “audit” with similar privileges, and proceeded to perform the majority of subsequent malicious activities by leveraging this user.
Discovery
The threat actor transferred the SoftPerfect Network Scanner tool, which is a publicly available network scanner used to discover hostnames and network services, via various network protocols such as Hypertext Transfer Protocol (HTTP), Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), and Secure Shell (SSH).[21] The threat actor was able to launch the scanner to map out the internal network topology and identify additional critical systems.
Filename | netscan.exe |
SHA-256 | a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789 |
File type | Win32 EXE |
File size | 16,539,648 bytes |
Lateral Movement
Subsequent to identifying the critical systems such as backup servers and the management information system, the threat actor leveraged the stolen administrative account as well as the created account “audit” to initiate a Remote Desktop Connection to access those endpoints.
Defense Evasion
The kavremover
tool was staged and executed to disable the endpoint anti-virus solution Kaspersky on the critical systems.[22] This helped to set up the next stage of the campaign, which focuses on the exfiltration of victim data that will later be used for ransom.
Filename | kavremvr.exe |
SHA-256 | c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275 |
File type | Win32 EXE |
File size | 14,143,976 bytes |
In addition, the executable file YDArk.exe
was located on selected endpoints. This open source tool was first observed in the wild on 11 June 2020[23], with the commit available on GitHub for download.[24] From public sources, we note that it is a multi-purpose toolkit offered with English and Chinese modules that allow the threat actor to evade defenses through various techniques, including process injection and rootkit.[25] As a result, we posit this tool was downloaded with the intention of disabling the anti-virus solution such as Windows Defender, alongside the kavremover
tool.
Exfiltration and Extortion
Initially, the threat actor makes it known to the target network that it has encrypted the network by leaving a ransom note on the impacted systems. In some cases, LockBit affiliates have been observed to stage hacking tools and to exfiltrate data to cloud storage platforms such as AnonFiles that enables users to anonymously access and share contents.[26] and [27]
Exfiltration and Extortion
Ransomware deployment was observed to have been done manually, with the threat actors executing on the critical servers. Following the execution of Lockbit 2.0, threat actors typically move onto the extortion phase of the campaign, which is broken down into two stages; initial ransom note, and leak website.
Filename | LockBit_9C11F98C309ECD01.exe |
SHA-256 | 822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7 |
File type | Win32 EXE |
File size | 982,528 bytes |
We provide a sample of the Lockbit 2.0 ransomware and several behaviours observed in our incident from available logs.
- The ransomware enumerated connected drives and read the root path of hard drives other than the default C: drive and discovered additional drives connected to the infected system that the ransomware was able to propagate to and encrypt.
- The ransomware deleted the Volume Shadow Copy Server (VSS), likely by running the following command:
C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
- Successfully encrypted files from Lockbit 2.0 had their file extension changed to
.lockbit
. Unlike typical cases, we did not observe the user background being modified using the\REGISTRY\USER\Control Panel\Desktop\Wallpaper registry
Finally, we observed that all the Active Directory accounts were disabled by the threat actor subsequent to the execution of Lockbit 2.0. In performing this action, legitimate users (e.g., administrators) were inhibited access to accounts, thereby delaying the actions that could be taken to restore the impacted systems and network.
Conclusion
Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.
Recommendations
As mentioned in the previous blog post, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:
- Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
- Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
- Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
- Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as through deployment of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
In addition, we strongly urge organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN to execute the remediation actions outlined in the previous blog post, if not already completed. Details can be found here.
MITRE ATT&CK TTPs Leveraged
We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.
- Reconnaissance: Active Scanning – Vulnerability Scanning (T1595.002)
- Reconnaissance: Gather Victim Network Information – IP Addresses (T1590.005)
- Initial Access: Exploit Public-Facing Application (T1190)
- Initial Access: Valid Accounts (T1078)
- Persistence: Account Manipulation (T1098)
- Persistence: Create Account: Domain Account (T1136.002)
- Privilege Escalation: Domain Accounts (T1078.002)
- Defense Evasion: Impair Defenses: Disable or Modify Tools (T1562.001)
- Defense Evasion: Indicator Removal on Host: File Deletion (T1070.004)
- Credential Access: Credentials from Password Stores (T1555)
- Discovery: Network Service Scanning (T1046)
- Discovery: File and Directory Discovery (T1083)
- Discovery: Remote System Discovery (T1018)
- Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001)
- Collection: Data from Local System (T1533)
- Command and Control: Remote File Copy (T1544)
- Impact: Account Access Removal (T1531)
- Impact: Data Encrypted for Impact (T1486)
- Impact: Inhibit System Recovery (T1490)
Indicators of Compromise (IoCs)
We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.
Indicator | Type |
c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275 | SHA-256 |
a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789 | SHA-256 |
49bac09d18e35c58180ff08faa95d61f60a22fbb4186c6e8873c72f669713c8c | SHA-256 |
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7 | SHA-256 |
91.219.212[.]214 | IPv4 Address |
5.206.224[.]246 | IPv4 Address |
51.91.221[.]111 | IPv4 Address |
213.186.33[.]5 | IPv4 Address |
194.195.91[.]29 | IPv4 Address |
kavremvr.exe | Executable File |
netscan.exe | Executable File |
LockBit_9C11F98C309ECD01.exe | Executable File |
YDArk.exe | Executable File |
.lockbit | Encrypted Files Extension |
Restore-My-Files[.]txt | Filename |
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.