SonicWall SSLVPN Breach Leads to Kernel-Level EDR Kill Chain

February 5, 2026 Faeem BLOGS 0

Threat actors are now using compromised SonicWall SSLVPN credentials to bypass perimeter defenses and deploy a stealthy EDR killer that disables endpoint security from the kernel level.

This isn’t just a breach—it’s a full-blown security takedown using legitimate drivers and forensic evasion.

Initial Access: Valid Credentials, No Brute Force

In early February 2026, Huntress researchers observed attackers:

  • Logging in via SonicWall SSLVPN using valid credentials.
  • Bypassing brute-force detection entirely.
  • Launching ICMP sweeps, NetBIOS probes, and SYN floods (370+ SYNs/sec) to map the internal network.

The EDR Killer Payload

The core payload is a 64-bit executable that deploys a revoked EnCase forensic driver using a BYOVD (Bring Your Own Vulnerable Driver) technique.

Key tactics:

  • Custom wordlist cipher to encode the driver payload.
  • Drops to C:\ProgramData\OEM\Firmware\OemHwUpd.sys.
  • Uses timestomping to mimic legitimate file timestamps.
  • Registers as a kernel service: OEM Hardware HAL Service.

Exploiting Windows Driver Signature Enforcement

The driver (EnPortv.sys) was signed before its certificate expired in 2010. Due to Microsoft’s legacy exceptions, Windows still loads it if timestamped correctly—even if revoked.

This allows attackers to:

  • Load the driver into the kernel.
  • Expose IOCTL interface 0x223078.
  • Terminate Protected Process Light (PPL) services.

Targeted Security Vendors

The malware includes a hardcoded list of 59 security processes, including:

  • Microsoft Defender
  • CrowdStrike
  • SentinelOne
  • Carbon Black

A kill loop runs every second to continuously terminate any restarting services.

Defensive Recommendations

  • Monitor for unusual VPN logins from IPs like 69.10.60[.]250.
  • Alert on kernel service creation with names like OEM Hardware HAL Service.
  • Audit driver loading behavior and enforce stricter DSE policies.
  • Use behavioral EDRs that detect timestomping, BYOVD, and IOCTL abuse.

Final Thoughts

This campaign shows how attackers are weaponizing legacy trust models to blind modern defenses. SonicWall SSLVPN credentials are just the entry point—the real damage happens in the kernel.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.