Pour one out for us
Posted by roger_27@reddit | sysadmin | View on Reddit | 291 comments
I'm the IT director but today I was with my sysadmin (we're a small company). Crypto walled, 10 servers. Spent the day restoring from backups from last night. We have 2 different backup servers. One got encrypted with the rest of the servers, one did not. Our esxi servers needed to be completely wiped and started over before putting the VM backups back on. Windows file share also hosed. Akira ransomware. Be careful out there guys. More work to do tomorrow. 🫠
SOLIDninja@reddit
Ah crap.
Oh okay sweet. We don't use Sonicwall but I'm going to tell the boss about this Monday to back me up on getting rid of VPN access for our last 2 old dogs that refuse to learn the new tricks I've provided them(one is my boss's dad and the "retired" owner that refuses to actually quit at 80+ years old)
FaYednb@reddit
what alternative to vpn did you implement? cheers
Agreeable_Dentist833@reddit
The vulnerability has to do with SSL VPN. Regular IPSEC VPN is unaffected.
SuddenPitch8378@reddit
To get an understanding of how bad ssl-vpn is Fortigate have completely removed it as a feature because they cannot secure it reliably. You should not be using this for anything other than home and even then ipsec is a better choice. This is coming from someone who really loves ssl vpn
jimjim975@reddit
Fortinet removed it because they don’t pay a lot to their software engineers. Their software engineering is a laughable joke, which means their info and opsec is much much worse. The reason they can’t secure sslvpn is because they’re bad at what they do.
SuddenPitch8378@reddit
If fortinet devs are bad at what they do then what are Cisco devs ? Do they have to pay Cisco to work there ?
jimjim975@reddit
You really trying to say fortinet is above Cisco in terms of security of their firewalls? You’re kidding, right?
tdpokh2@reddit
checkpoint is better but Cisco is miles away from fortigate lol. my old mgr had a name for sonic walls - "Mickey mouse firewalls"
jimjim975@reddit
Ciscos issue is that they’re super duper horrible at logistics and can’t mass produce to save their life. Meraki would be better if the product was actually available, but Cisco really screwed the pooch on it.
stillpiercer_@reddit
Meraki seems to have no issues getting hardware to us within a day or two, but they have insurmountable issues with putting firmware on that hardware that actually fucking works.
We’ve had there cases within the last week alone (different devices) where a very core feature (think: the Ethernet port on an access point!!!!!) just decided to not work at all because of a known firmware bug, on the current stable release firmware!
SuddenPitch8378@reddit
So your saying that the biggest networking vendor in the world cannot develop a component firewall product because they are bad at logistics. They have allowed Fortinet and Palo to build Billion dollar business and dominate the market. Their response was Firepower...a reskinned ASA with lacklustre L7 features. Cisco have consistently written bad software anything outside of the actual firmware for their networking products is either garbage or was from an acquisition ( merakai etc). Cisco should be so far ahead of the pack, its like running a marathon where you get a 13.1 mile head start ... Except Cisco decided to take a nap and everyone else ran past them. Don't get me started on ISE absolute garbage .
jimjim975@reddit
I agree with you entirely. I totally should’ve added a disclaimer that Cisco has certainly fallen from its once original glory, definitely. The other vendors have overtaken Cisco for sure by now, it just sucks that there really isn’t that great of a vendor option currently regarding op/infosec.
tdpokh2@reddit
I like meraki, I don't like that it's cloud-only. or at least that's what I knew several years ago - ssh was off and couldn't be turned on
jimjim975@reddit
Yep that’s the issue with it now too, they went too user centric instead of putting network engineers first who thrive on the command line.
tdpokh2@reddit
that's a big part of the reason why I went to ubiquiti. I want that iOS interface and it feels. idk, lesser without it
jimjim975@reddit
My homelab is ubiquiti. Work datacenter is a mixture of Cisco and fortigate.
Atrium-Complex@reddit
I read the writing on the wall when that announcement came out. Give it about 3 years for every single other FW or VPN service to deprecate SSL-VPN in favor of IPSEC
lobstercr33d@reddit
So about the time I got into the networking field I feel like everyone was switching from IPSEC to SSL-VPN because you didn't have to worry about it being blocked like you did with IPSEC.
What changed that no one seems to consider that an issue now? I feel like I missed something...was that concept always mostly FUD?
Atrium-Complex@reddit
The only time I have ran into IPSEC being blocked by ISPs was when my international sales people went to South America. Otherwise, it was never an issue. Love using IPSEC over SSL.
taw20191022744@reddit
I don't know how many times I said this to my team but ipsec has so much pure vulnerabilities than SSL.
flecom@reddit
Is their SSL VPN just OpenVPN?
lebean@reddit
OpenVPN is quite different from the SSL VPNs that are making all the news lately for allowing attacks. Fortigate, Cisco, Palo Alto, etc. all have their SSL VPN varieties and all have had significant problems that led to compromises.
With a properly setup OpenVPN server, only the VPN port is "open" to the internet and if you do tls-auth (crazy not to), then only your configured clients can talk to it at all. To everything else, any probes are just dropped and it looks like the port is dead/closed just like all the rest of the system. Wireguard is similar, if you aren't a valid client then traffic is just dropped to you can't even tell there's a VPN host there at all.
No_Resolution_9252@reddit
No not really. Your entire second paragraph is how any certificate authenticated VPN works and has worked for a couple decades. There have been at least two openVPN vulnerabilities just this year. There is no product or tech selection that ever enables any organization to be lazy about management.
FaYednb@reddit
that's true, yes, but SOLIDninja said they are getting rid of VPN access. I guess it depends what the VPN access was for in the first place.
Avas_Accumulator@reddit
Any modern SSE/SASE VPN where there is no public endpoint you own that a hacker can exploit. The public front is then maintained by a large team at say Zscaler instead of yourself, and it also ensures you have pre-auth to all resources.
PrepperBoi@reddit
It works well but their bandwidth can be slow at times.
Avas_Accumulator@reddit
I haven't experienced that but it's important to choose a provider with a great network and PoPs
PrepperBoi@reddit
We have slowdowns between east and west at times
thatagory@reddit
My place usually gets them a login to the agent portal with only access to their computer and have them remote into their pc with the rmm tool.
fencepost_ajm@reddit
I had one place where prior to us coming along they had to ports open to the world to allow one semi remote owner to use Goldmine Sync. Anything Ivanti makes me twitch, and i can't imagine Goldmine gets a lot of love these days.
Small company, the fix was a two node Zerotier network between the server and his laptop, traffic restricted to only the ports required.
GDejo@reddit
I have been fighting with Ivanti for the past month because of a CVE they have yet to patch.. not to mention all the crap late last year, they put their customers through.
prsr97@reddit
We got hit by Akira last year due to Sonicwall SSL vulnerability. Now we are using Checkpoint SASE / Perimeter 81 solution for remote access.
SOLIDninja@reddit
So the thing about our situation is that the two old dogs VPN in to use Windows' built in Remote Desktop and nothing else - so my solution of getting people to use GoToMyPC or Splashtop depending on how sophisticated tgeir needs are won't be the same panacea for people with branch officr VPN setups or anything else.
Win_Sys@reddit
Not the person you responded to but been seeing a lot of companies transitioning to ZTNA. Uses WireGuard or IPSec under the hood and is usually certificate based.
FaYednb@reddit
makes sense, yeah. gotta talk to my colleagues about that
kittyyoudiditagain@reddit
Good grief. We are starting to store data as objects to lower our risk. its the file system. They are looking for file types and encrypting. File systems are the vulnerability. i wake up with night sweats thinking about this situation.
No_Resolution_9252@reddit
It doesn't matter what the exact vulnerability was, because those types of vulnerabilities can show up in anything. What does matter is the mismanagement of the network.
There is no justifiable excuse to not patch things short of a network that is hardened and airgapped to not need it (lots of work to set up, an airgap with holes poked in it is not an airgap)
Using privileged accounts to authenticate a VPN is not justifiable
lebean@reddit
I am soooo, so glad that I've kept VPN completely off of our firewalls for the last 20 years of work. Custom ansible role to build redundant OpenVPN hosts w/ per-client specific iptables/nftables rules, never the smallest issue. Now slowly migrating some to tailscale but OpenVPN has never let me down across two companies.
SSL VPN on firewalls is just absolute madness, and has caused so many compromises like this.
BankOnITSurvivor@reddit
My former employer deploys SonicWall. If this was caused by a SonicWall vulnerability, my former may be in for a fun time.
DarkAlman@reddit
OP has confirmed MFA wasn't enabled and wasn't running the latest firmware.
Sonicwall confirmed last week this wasn't a zero day.
BankOnITSurvivor@reddit
I understand that let them in the SonicWall. My quest is how was code executed on the servers and VMs to encrypt them. Ideally they had their own credentials.
DarkAlman@reddit
Reading his other comments confirmed what I suspected.
I've seen Akira use VPN to breach customers and then encrypt ESX hosts using known vulnerabilities.
The breach the HTTPS or SSH connection to the host, and then run scripts to encrypt the OS disks and VM datastores.
OP confirmed they were standalone hosts, and from personal experience those tend to not get patched regularly (or ever) because it's a giant pain to do.
BankOnITSurvivor@reddit
Ahh thanks.
I’m guessing Windows Hype-V hosts are unlikely to be affected then.
DarkAlman@reddit
No, they are just vulnerable to all the usual Windows Exploits
OkHealth1617@reddit
How did this happen?
ExceptionEX@reddit
Most common vector at the moment is fucking Cisco VPN. This has been a rough year after their source got leaked turning up all sorts of unauthorized code execution exploits.
Their handling of it too is abysmal, they seem to being patching as discovered externally and not doing much to resolve the issues externally.
Layer_3@reddit
Sonicwall SSLVPN is having the exact same issue with Akira ransomware
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn
DarkAlman@reddit
The MFA bypass seems to be a red herring.
Deeper dives into the stories don't add up.
The incidents in question weren't running current firmware after all, and had local users that may have had weak passwords or been brute forced. MFA probably wasn't even enabled on the account.
Appropriate-Work-200@reddit
Akira is the payload, but the sploits are unique to the target. It sounds like some crims and/or unfriendly state actors spent a boatload of Bitcoin on some infrastructure RCEs.
Appropriate-Work-200@reddit
Lol. Meta was still using Cisco VPN in 2022 and the dude who originally set it up was a major prick. I suggested they might think about WireGuard and they acted like I was talking French.
Chris_Hagood_Photo@reddit
Do you mind providing more information on this?
ExceptionEX@reddit
Here is a list of the CVE (Common Vulnerabilities and Exposures) https://sec.cloudapps.cisco.com/security/center/publicationListing.x
ArcaneDoor door was the zero day that wrecked a ton of ASAs (firewalls)
This shows all the things they have published thus far.
As far as the leak, there where two that I am aware of
1) happened in 2022 I believe, honestly its late and don't feel like googling it.
2) https://www.securityweek.com/cisco-confirms-authenticity-of-data-after-second-leak/
zatset@reddit
Sometimes I am so glad that I use less known or popular solutions.. I heavily use IPSec and OVPN with encryption and certificates pumped to th max possible levels.
MrExCEO@reddit
Does MFA help in this situation? Everyone I know is moving from IPsec, trying to understand.
ExceptionEX@reddit
MFA helps one of the problems, but not the most recent one being exploited, though that patch has been out for a while, so if you have cisco gear its like you need to keep that page on refresh, and ready to update a lot.
MrExCEO@reddit
So it’s Cisco, not ssl overall?
ExceptionEX@reddit
No SSL when configured properly is what secures 90% of computing. though the proposed changes to less the SSL validate times are going to be a security improvement to lessen the amount of time a compromised cert is vulnerable. Its going to require major changes to be able to implement some auto renewal system, which is going to force out some older, even secure systems.
zatset@reddit
People move away from IPSec, because it isn't as easy to configure as other solutions. But it is a staple in site to site VPN-s. Also, Cisco kind of stalled the development of their original 64bit client to force people to move to AnyConnect. OpenVPN does a pretty good job in site to client VPN-s.
MrExCEO@reddit
Is it purely a Cisco issue then?
zatset@reddit
It is vendor lock-in problem.
People think(and in a certain sense is might be true) that vendors providing custom implementations that integrate well with the rest of ecosystem save money and make it easy to manage things as one system where everything is integrated.
But...
The reality is that sooner or later exactly this is used to vendor lock-in people and companies, because nothing you use has any interoperability with any other system any longer, at least without severely compromising security or limiting functionality.
Then...
You are at the mercy of the vendor. And as long as the vendor can make it so that migration of switching to any other solution is impossible or a path of misery and switching is more expensive than paying the vendor, that vendor gets tolerated.
Well...
The repercussions are... something like what the author/OP already mentioned. Large breaches, slow fixes. CVE-s, yet sluggish reaction to them. Yet, you cannot just change gear, so instead of freely choosing other vendor, actually you don't really have a choice. So, you both continue to pay them and then pay in manhours and company reputation/data to restore systems after security breaches.
That's why....
I always try to use industry standards and secure implementations that are standards or de facto industry standards and tend to avoid "custom/nonstandard vendor implementations". Cisco in particular...like to create proprietary solutions and implementations.
Sudden_Office8710@reddit
ASA? They’ve been EOL for more than a decade. You’ve got to use the new Firepower if you’re sticking with Cisco garbage. It’s about as bad as using Fortigate
Own-Drawing-4505@reddit
It’s not a fair comparison between asa and fortigate 👍
wholeblackpeppercorn@reddit
yeah, I don't think I'd even take a job if they were a Firepower/ASA shop, if I had the choice
ExceptionEX@reddit
It blows my mind how much they want for it, and firepowers UI looks like its some Jquery UI crap. I remember when they were seen as the gold standard, now they just make me sad.
rodder678@reddit
Uhh, they still sell the latest generation of FPR appliances with -ASA SKUS that come preloaded with ASA software. The only difference between an old ASA and a new FPR with an ASA image loaded is the command to upgrade firmware.
ExceptionEX@reddit
They have been end of life for 3 years, and and are still supported and release software updates.
There are literally over a million of them in service.
I agree Cisco shit is over priced trash but that doesn't change the reality or the ecosystem and why so many things are being compromised.
man__i__love__frogs@reddit
Aren’t ASAs end of life?
mindracer@reddit
Asa 5516 are still not EOL, next year
skylinesora@reddit
People are still running ASA's? I thought that his point, they are all EOL
ExceptionEX@reddit
Cisco has this very interesting thing, where though they have announced things like the product is EOL and 1yr prior to that end of sale.
But you can and people are readily buying them today, from reputable vendors. One of the orgs we work with that asked to do a sanity check on a proposal from their local IT vendor in 2024 had 3 offices and a colo all using 5500x series equipment. Needless to say we put a stop to it. But there are a lot of people who swear by them because they used them for a decade, and can't wrap their head around the fact that these things are so compromised you might as well just use a home router and a raspberry PI based vpn.
skylinesora@reddit
Yup, I’m aware Cisco lists EOL products. I just haven’t looked in a few years as I no longer support firewalls. I use to support 5505, 5506, and I think they were 5545, which were already either EOL or already EOL.
The FTD version on the 5545 was like 6.6 or something
frosty95@reddit
Can use anyconnect with meraki
magpiper@reddit
Cisco VPN is a hot mess. Provisioning is far too complicated and full of serious pitfalls. Was never a fan as better solutions exist. But oh, it's Cisco mentality had cost companies. I can only imagine the ugly code underneath bring hacked to pieces in order to work.
EatenLowdes@reddit
But OPs issue was SonicWall and they are having a massive issue with their SSL VPN right now and vendor support has been very bad
DarkAlman@reddit
It was a breach via the Sonicwall SSLVPN.
OP confirmed he didn't have MFA enabled for VPN and was running older firmware.
There's a bunch of known SSLVPN vulnerabilities in the older Sonicwall firmware.
Sonicwall recommends upgrading to 7.3 but these breaches seem mostly related to bad security practices (lack of MFA, no password rotation, old accounts not being pruned) etc
AubsUK@reddit
If I was going to set up malicious scheduled tasks, I wouldn't set up new ones, I'd use existing ones, and ideally existing ones that were disabled, so not to damage anything while I was "working", and not leave much track.
roger_27@reddit (OP)
Also did modified date hah
Call_Me_Papa_Bill@reddit
Don’t reconnect any restored servers to the outside world until you’re sure you’ve taken back positive control (krbtgt reset, all admin passwords reset, all service accounts with admin access reset, etc.)
roger_27@reddit (OP)
My heart tells me they aren't gonna come back. My heart tells me they try to attack and move on. I actually am waiting on 2 more servers to restore and then yeah changing administrator password. I found the .EXE encryptor program in my filer server. I promptly deleted it. I also found winpcap installed on a server in the last 3 weeks that wasn't installed on it by me or my other guys, with the same install date as the exe encryptor creation date. I also found an SSH tunnel .EXE that I promptly deleted. Then I denied all wan-> LAN services, then I disabled all types of VPN. I'm also checking task manager on all of the restored servers pretty much every hour. And checking modified dates in file explorer on all servers every couple hours to make sure they don't get encrypted again. With each hour I am more confident it's out.
I also looked at the task schedulers for all the servers, but those things are huge, I did my best to peruse them.
But they just encrypted everything friday morning, it hasn't been 48 hours yet, I think they are gonna wait for me to try and contact them in their chat. I am working as fast I can.
The way these groups do all this stuff en masse, I think they aren't the kind of people to come back and try again, and again.
But who knows right
techguy1243@reddit
u/roger_27 Did you have an EDR in place?
roger_27@reddit (OP)
No. I will now hah!
MrYiff@reddit
Another task if you haven't already done so is to reset the krbtgt account as if this was compromised it would allow an attacker to essentially issue kerberos tickets as any account.
Generally this is the recommended script to use to ensure a safe reset of this account (reset it too fast and you can invalidate every kerberos ticket and end up needing everyone to reboot and login to the domain again), there is an older version in an archived MS repo but this is by the same author (he's just no longer an MS employee), but more up to date:
https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1
roger_27@reddit (OP)
Thank you for this. Seriously.
lynsix@reddit
You happen to use Sonicwall with SSL VPN? We got notice from vendors Akira group was using some exploit for the SSL VPN to break in for a large % of their attacks this month. Sonicwall wasn’t sure if there was an unknown 0 day last I checked.
DarkAlman@reddit
OP confirmed that it was a Sonicwall running older firmware and wasn't running MFA.
OhioIT@reddit
How did they get your VMware environment? Was it encrypting at file system level or on the vms themselves?
DarkAlman@reddit
I've seen the Akira crew encrypt datastores in ESX, pooching the OS and making all the VMs inaccessible.
A lot of SMBs running standalone ESX hosts and don't ever patch them despite their being a lot of vulnerabilities out there.
Without vCenter and SAN patching ESX is a giant pain because you have to take the entire host down, so a lot of companies don't patch them more than once a year... if ever.
You'd be shocked at home many SMBs still run ESX 6.x or even ESXi free for that matter in production.
What's made this worse is Broadcom. They are sending out cease and desists now to customers that patch out of contract so it's scaring customers into not keeping their environments up to date.
I'm still dealing with a bunch scrambling to migrate everything to Hyper-V or Proxmox... but hardware is expensive and it's a slow process.
roger_27@reddit (OP)
It encrypted the VM's and from what we can tell some of the esxi operating system files. The hosts were not working right. here's the real kicker: once we decided to wipe our esxi 7 hosts, we couldn't find an installer for ESXi anymore because it's discontinued.
Once we found it nested in broadcoms stupid website, we see they only have esxi 8. Fine we'll use 8. Well 8 installs and then when you are up and running it tells you that you can't restore to that VM because you need a license key to enable restoration. It's a feature you have to pay for.. But you can't get a License key be cause it's discontinued!! I had to go on "the dark web" and find a key for 8 enterprise or whatever. Now I have a registered version of ESXi 8. Dirty I know but it was the only way to get my shit back because I couldn't find an iso for ESXi 7.
flying_postman@reddit
Were these standalone esxi hosts or did you have vcenter? And if you did have vcenter did you enable lockdown mode for the hosts? In our environment I make use of the vcenter firewall and restrict it to specific ip's in our network and all our end points have MFA but I still always worried about this.
roger_27@reddit (OP)
No v center, standalone esxi. We are a walnut company, we always thought we were "little fish" compared to companies "worth hacking" .. I guess times are getting tough for ransomware assholes too 😂
Yupsec@reddit
That's the biggest mistake a lot of companies make. There are no "little fishes", there's just food. You make any kind of money? You're a target.
enthoosiasm@reddit
Perchance do you use a sonicwall?
GroundbreakingCrow80@reddit
Are SonicWalls just targeted heavily or what. I rarely see any major vulns for our Firepower Threat Defense. We were looking at switching to Palo Alto but they have so many vulns found as well.
DarkAlman@reddit
Everything is vulnerable.
Fortinet + Cisco have announced as many if not more exploits in their SSL VPN products in the past couple of years.
Sonicwall is just the flavor of the week for Akira ransomware right now.
A month from now it will be another vendor.
What matters us how well the vendors respond.
SerialMarmot@reddit
Everything is vulnerable. It's just a matter of when
Appropriate-Work-200@reddit
False tautology. It's when people get too complacent, sloppy, and/or too reliant on a standard monoculture that it becomes a problem. If starting from defense-in-depth, reasonable paranoia mindset, then there's a lot more slices of cheese to catching things before the holes line up for a fail.
roger_27@reddit (OP)
Yep. Everyone getting hit hard with sonicwall and vpn. The crazy thing is , it had the newest firmware dated 7/29.
Laroemwen@reddit
Was your SonicWall migrated from Gen6 to Gen7?
hsod100@reddit
u/roger_27 u/Laroemwen
So how do we reckon the migration exposes the local users on Sonicwall. Is it the migration tool itself?
I mean the official bulletins say that weak or reused passwords get migrated over and can be exploited. But.... they should be just as exploitable on the Gen 6 box. The fact of migration doesn't make it any moreso (unless maybe they were disabled on the old and somehow during the migration they became enabled). Not that the notes say that. The notes don't explain it.
hmmm
DarkAlman@reddit
Sonicwall hasn't released the details as to why that's considered a vulnerability... which is a tad disturbing.
It could be a case that the conversion process stores the imported passwords using an obsolete encryption method or hash.
Resetting that password then changes the password to modern encryption.
But that's just a theory.
It could just be those passwords are old and are on a rainbow table.
DisasterNet@reddit
I’ve never used the migration tool to migrate ever. I’ve never been so glad as of this week with the number of sonicwalls I’ve upgraded from 6 to 7. I’ve always rebuilt the new firewall by hand and used it as a chance to do some housekeeping.
roger_27@reddit (OP)
Yes
TheWino@reddit
Did you follow the guidance their guidance? https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
roger_27@reddit (OP)
I frickin turned off VPN for now.
enthoosiasm@reddit
Despite sonicwall reporting “high confidence” that there’s not a zero-day vulnerability, I haven’t rolled back my IP restrictions yet. I know Reddit is probably a low priority for you rn, but please speak up if this attack involved bypassing MFA.
DarkAlman@reddit
There's too many attacks happening right now
Everything points to this being bad security practices at this point, not a vulnerability.
You name it
jake04-20@reddit
Yeah that's the important detail I have yet to derive from reading comments. You'd have to assume that MFA was enabled for VPN in 2025 but who knows.
TheWino@reddit
I haven’t even turned my SMA back on.
Szeraax@reddit
Smart advice, especially if you use intune Private Access so that you don't even need a VPN anymore.
SerialMarmot@reddit
At least the outlook for firewalls looks manageable.. The advice we got from support for SMA and virtual appliances was to assume compromise has already happened and to blow it away and start over
Caeremonia@reddit
Lol, I read this as "(Microsoft) Outlook for Firewalls" and had a small seizure.
ka-splam@reddit
Zawinski's Law finally catching up with firewalls.
squuiidy@reddit
^^^ THIS
_DoogieLion@reddit
Did you have SSLVPN enabled on the firewalls?
roger_27@reddit (OP)
Yes
CatStretchPics@reddit
How did they get in?
roger_27@reddit (OP)
From what we can tell it was the sonicwall ssl vpn exploit. If you have a sonicwall with SSL VPN open, and run ESXi, you will be targeted. We will probably be looking into a separate VPN server and service once we clean up the mess.
Instagib713@reddit
How did you determine SSLVPN was the entry point? Was it just the fact that there was an ongoing SSLVPN issue getting a lot of attention or did you come across something more concrete?
roger_27@reddit (OP)
Nothing concrete, but I have sslvpn without 2 factor authentication. I found the encryption exe program, and I found an SSH tunnel exe program, and I found winpcap installed on a server. I deleted all of these.
DarkAlman@reddit
This is getting insane...
Solkre@reddit
What's the correlation between an appliance VPN and ESXi?
DarkAlman@reddit
There's a lot of exploits in ESX and vCenter
Broadcom recently started sending out Cease and Desists to customers that patch their servers off contract.
That and general bad patching practice leads to a lot of these attacks.
breakingbadLVR@reddit
Exactly what I was thinking lol
Darkhexical@reddit
Probably all the v center exploits.
Xesyliad@reddit
Nowa the time to drop VPN and move to ZTNA.
RampageUT@reddit
Were you running gen7, did you have MFA enabled , did you have an LDAP account with too many permissions? There was guidance about this from SonicWall on how to mitigate it.
roger_27@reddit (OP)
Yep, nope, I don't think so
Direct-Mongoose-7981@reddit
Were you using the sonicwall SMA or the Firewalls?
Front_Distance6764@reddit
Please tell me, what saved you from encrypting the second backup server? From your experience, what can others do to prevent backups and hypervisors from being encrypted?
xPansyflower@reddit
We for example backup onto tape which then is stored in a safe. Our backups are also immutable for 3 days so it can't be encrypted.
Upstairs_Peace296@reddit
Whats to stop someone from wiping the library in say veeam if they have admin access on the backup server
DarkAlman@reddit
Nothing, and I've seen it happen
You need a combination of offsite immutable backups (deletion prevention) and airgapped backups.
In the most recent crypto attacks I've had to clean up customers were saved by a having a copy of their Veeam backups on unplugged USB drive. Even then they lost a weeks worth of work.
Bare minimum customers need to have immutable cloud backups these days.
Liquidfoxx22@reddit
The VBR server should not be domain joined, stopping them from getting to it. You should rotate tapes out of the library so they're actually offline. You should use immutable backups.
You should have security tools which detect the threat actors and stop them before they even get a chance to start encrypting.
TheEdExperience@reddit
Was this downvoted before I got here? This is actually good advice. Backup infrastructure should be as isolated as possible.
Upstairs_Peace296@reddit
Our veeam server is standalone but backs up our proxmox just remember you need to apply same patches and lock down with local gpo or it'll be a wide open target even if not on the domain
LickSomeToad@reddit
What do you recommend here?
Upstairs_Peace296@reddit
Use a patching and compliance tool like intune or connectwise automate and give it very restricted outbound internet access to update and monitor. you can create a local policy based on your existing group policy by say printing them off. Disable rdp disable llmr disable ipv6 netbios in dms settings etc only the veeam agents should be talking to the veram server depending on what youre backing up
TkachukMitts@reddit
One thing I’ve seen is that hackers will gain access and then sit dormant for a month. For a lot of orgs, that means the oldest backup still contains their presence, so you restore and boom they’re right back in your network.
xPansyflower@reddit
We actually have backups going back almost 15 years, but yes that is something that can happen
AutomationBias@reddit
15 years is great, but what about really patient hackers?
Darkchamber292@reddit
No hacker is waiting that long.
Appropriate-Work-200@reddit
Advanced Persistent Threat (APT) is that and they may not be using just kernel-/user-mode sploits that persist only within the filesystem. I'd be flashing all firmware of every piece of gear using a JTAG programmer and digital logic probes from known good hardware/BIOS files.
6e1a08c8047143c6869@reddit
Maybe the reason you haven't heard of them is because they are still waiting for you to let your guard down?
Chellhound@reddit
The slow blade penetrates the shield.
reilly6607@reddit
Harvest Now Decrypt Later is a real thing as well.
ptear@reddit
The long knife is the true sword.
Subnet_Surfer@reddit
Backup to a Synology and give your backup account only access to that file share. Turn on recycle bin, check the box for administrator only or plug an external drive into the Synology and have youe administrator account only have access to that and automate a copy over to that nightly.
How are they getting into a Synologys recycle bin with 2FA enabled, credentials stored nowhere, backup software won't have access to it, it won't be mapped anywhere. I just don't see it happening.
RizzMahTism@reddit
Synology? For business? You’ve got stones mah dude!
Subnet_Surfer@reddit
What's wrong with Synology for a business? What NAS are people trusting for business that isn't overkill for a backup srore like TrueNAS would be? Or a security risk like QNAP has been?
I see tons of people on here using Synologys for businesses didn't even know there was a stigma
roger_27@reddit (OP)
We have an In house configured backup server that runs veeam backup and replication enterprise or something (the paid version of veaam) and it takes snapshots and puts them on there at a set of intervals.
We also have a service called iDrive , they send you a server to put on your rack, it runs Linux, and it does exactly the same thing as veeam, but also it uploads the snapshots to their cloud.
PLUS it allows you to spin up a virtual machine off one of the backups ON the server itself. Pretty cool.
The local veeam server got hit because it was in the same domain , I should have never joined it to the domain as other users have pointed out.
But I drive was unaffected.
GhostNode@reddit
Worth mentioning, Veeam published a critical vulnerability a few months back. While we’re all talking about vulnerabilities, patches, SSLVPN, and Veeam, I wanna recommend keeping an eye on your Veeam version, too.
harubax@reddit
Kudos for financing 2 different backup solutions!
odellrules1985@reddit
I got hit by Akira a while back. It was a person's account that was compromised and they used SSLVPN to get in because it was on the default port. Then used an admin account to pivot and encrypt the VM servers and delete my VEEAM backups and I was using. They didn't encrypt it just deleted it and the cloud backups which I forget the name but they had no support or guide and were not immutable. Because of that I was able to recover the backup from that kight through a third party recovery company.
Suffice to say I shut of SSLVPN until we secured it and made sure there was nothing in our network. Besides MFA I locked it to only the US, would do IPs but too many roaming people construction company, and changed the default port. Although now I am thinking we might need to move to ZTNA....
Also cancelled the cloud storage and got a StoneFly appliance and cloud storage. Both are immutable. The appliance runs a Server Hyper-V which hosts the VEEAM server and then a SCVM and then the Linux storage. The VEEAM box sits on the network but not domain joined and the data storage sits on its own VLAN which I set to only be accessible by the IT user group that only I am a part of. It works pretty well so far.
BankOnITSurvivor@reddit
My former used I drive but they have had nothing but problems. I think one issue was email alerts failing to get sent which was huge. We relied on the failed backup emails to generate tickets so the issue could be addressed. I know they could have been proactive, but who wants to do that? Being proactive about a lot of things did not appear to be a part of their processes.
roger_27@reddit (OP)
That's so weird. I have the opposite problem. It emails me constantly 😂 to the point where I had to start doing rules and putting it in a separate folder but when I did that I started ignoring it 😭 now we just log into it two every one or two weeks. It's really easy just to go to the IP address and log in and the dashboard is the first thing you see. Most of the time if I call support I get a person right away. But this disaster that happened on Friday I actually was not able to get a hold of a person right away and it kind of sucked because I really needed them . I did have a bunch of weird problems with it when it was getting full though I feel like it needs a lot of extra room to function properly. Once it starts getting to 10% left it becomes really unresponsive and frustrating.
BankOnITSurvivor@reddit
We had a compliance manager set most of ours up. I think I remember him telling me that the machines lock down when they reach 90% requiring I drive support’s intervention.
Did they get you through the sslvpn? Even if they got in, I don’t see how they would have system access to encrypt everything. I would assume domain admin credentials would be needed and root credentials for the VMware host, and local admin credentials for anything else.
mahsab@reddit
separate networks
firewall rules to servers
no backup servers or hypervisors joined to domain
definitely no public NFS or SMB shares where VMs or backups are hosted
Front_Distance6764@reddit
I'll add, in response to my own question:
Two-factor authentication (2FA) wherever possible.
Mirroring copies into a separate immutable repository. For example, for Veeam - deploying a separate Linux server - Veeam Hardened Repository ISO image on "bare metal". Disabling IPMI and SSH on it for security purposes.
VexingRaven@reddit
Number 1 rule is don't allow AD accounts, or at least not your regular domain, to log in to your backup server. If you must access it that way, it must be only read-only access. The backup server should operate on one-way access: It can access your environment to take backups, your environment cannot access it.
Cautious_Winner298@reddit
Do the 3-2-1 method
Solkre@reddit
Have your backups on a completely separate system with NO shared or common passwords.
ThatGuyFromDaBoot@reddit
Your hypervisor and backup systems should have separate security domains, i.e. not on the domain. Make sure you have at least one offline backup that can't be deleted and everything public facing uses MFA.
Cautious_Winner298@reddit
Honestly ESXI is pretty fucked. Been hearing a lot like this lately.
Appropriate-Work-200@reddit
I swear Broadcom (mkt cap 1.4T) will buy IBM (mkt cap 225B) and SolarWinds just to monopolize and maximize enshitification of legacy software.
canchanchan386@reddit
My God in heaven. Poured out a shot of my best Glen. Hang in there, yous guys.
Appropriate-Work-200@reddit
Amen. I kicked over a pallet of Jameo on their behalf. These are bad times, and insecure code is fucking preventable, negligent bullshit.
Soggy-School-5883@reddit
Between all the SonicWall exploits, the Meraki MX75 and up firmware issues causing random reboots and all the FortiGate problems I've sold a LOT of Ubiquiti network hardware projects the last 6 months.
Darkk_Knight@reddit
We have a mix of Fortigate and pfsense out in the field. I use IPSec for site to site VPN. Wireguard / OpenVPN behind Fortigate as a VM for access to internal network. I haven't used Fortigate's SSL-VPN in ages as it's always been riddled with CVEs that will never get fully fixed. Seriously who exposes SSL-VPN webgui to the internet? Nobody needs a WebGUI login page for VPN long as the VPN client and certificates are already installed.
Appropriate-Work-200@reddit
Come to the dark side of OPNsense Business VMs and DECISO Ryzen-based routers. ;0)
Or I'd deploy jumpboxes with OpenVPN and/or WG with OpenBSD.
MDM FTW for client certificate provisioning. Client platform engineering management is a whole art of hoop-jumpings and clever, obscure hacks automation to make complex de/provisioning shit work semi-simply for ordinary business end users.
Darkhexical@reddit
Just keep in mind the limitations of ubiquiti hardware. I.e. lack of ipv6 and proper layer 3 routing. Some environments might utilize vrfs or etc that may require a network redesign
owenthewizard@reddit
Ubiquiti doesn't support IPv6?
Darkhexical@reddit
They're working on it but ya not really. Probably will get ipv6 before layer 3
owenthewizard@reddit
Care to elaborate?
Appropriate-Work-200@reddit
Ubiquiti's switches and routers aren't really their bailiwick. If you stick to best-in-class hardware like using Ubiquiti for APs only, dual-stack works perfectly fine. Use real, proven, enterprise networking gear instead.
owenthewizard@reddit
I'd just like to know what he means by "doesn't support IPv6". Like at all?
Soggy-School-5883@reddit
With everyone moving on-prem infrastructure to the cloud and all the remote workers we're finding less and less people need the advanced features and routing. There's still some holdouts with a lot of on-prem I wouldn't move to Ubiquiti. This is for the SMB market of course.
MegaThot2023@reddit
I'm gonna guess you're talking about the "S" portion of SMB.
Appropriate-Work-200@reddit
Lol, yeah. Meta absolutely requires IPv6 because new/most internal infrastructure only supports that. If that's not working correctly, there's zero hope of doing real work.
project2501c@reddit
are you sure about that?
Caeremonia@reddit
Right? I had to check the date on this post to make sure I hadn't accidentally stumbled into a necro'd post from mid 2010s. Lol, we need to start teaching history of IT at universities. I've watched the pendulum of on-prem to cloud and back twice now. And that doesn't even count the swings before cloud existed and the pendulum swung between CPU power at the desktop vs CPU power centered in Terminal Services, etc.
Leopold_Porkstacker@reddit
We really need to get back to a mainframe only accessed by dumb terminals.
Oooh, maybe a cloud mainframe, that people use their phones to access and they can plug a keyboard into the phone.
Appropriate-Work-200@reddit
Never use Ubiquiti switches, only their Wi-Fi APs managed by a UniFi VM.
Never had any problems. My home router is a Deciso 740 OPNsense that does up to \~8G as a web-based pf firewall.
coolest_frog@reddit
Those limits don't seem bad compared to don't turn on your VPN or you'll get random ware
StrikingInterview580@reddit
Just use ipsec rather than sslvpn
Darkhexical@reddit
It's moreso specifically sslvpn that has the issue. The other VPN products don't seem to have much of one. Ubiquiti also had an SSL VPN issue.
Appropriate-Work-200@reddit
Sell some Deciso OPNsense Business routers while you're at it.
(I use Ubiquiti and OPNsense at home. Fast as hell and it works.)
iama_bad_person@reddit
We use Meraki at work but have some smaller offices running Ubiquiti gear and that convinced me to run it at home. Perfect for my 4 AP, 2 switch setup I have here for 4 PCs, 3 laptops etc
MenBearsPigs@reddit
I really love how Ubiquity can be used at scale, but also for personal home use too.
Imagine licencing Meraki gear for home lol.
sephresx@reddit
As nice as the hardware looks, just no.
AlexEatsBurgers@reddit
Lol Ubiquiti
Disastrous_Yam_1410@reddit
You might actually want to wipe the firmware too. Hope your insurance company is helping.
RestInProcess@reddit
Cyber insurance is a must these days. I used to work for an insurance company that managed and sold it. The carrier even got hit with ransomware and had to use their own insurance. The whole company was working off paper for three (maybe more) months before they got their networks back.
Darkk_Knight@reddit
It took them MONTHS to fully recover? They need to review their DR plan!
Appropriate-Work-200@reddit
RestInProcess@reddit
Apparently, the public statement and news is that it was two weeks to get their network back up and running, but I know that's not the whole story.
sephresx@reddit
They implemented the Dilbert recovery plan.
x_Wyse@reddit
That sucks man. Just got a message yesterday morning from our cyber insurance about Akira gaining momentum as of late. We disabled SonicWall SSL VPN hours later.
Luckily, I'd spun up an OpenVPN access server in recent months. Bought some additional licensing and told the company you either pivot hard or you're coming in the office. Hopefully nothing got in.
Appropriate-Work-200@reddit
Deciso OPNsense business FTW. It's FreeBSD-based and they have VM and 25Gb hardware options.
SawTomBrokaw@reddit
In addition to Sonicwall VPN letting you down, which endpoint protection software let you down?
Obi-Juan-K-Nobi@reddit
CrowdStrike enters the chat
Appropriate-Work-200@reddit
At least it's not Microsoft Defender for Endpoint plan 2 untested defs removing all users' shortcuts making them think they've been ransomwared.
RunningAtTheMouth@reddit
Oddly, when my company got hit, I started to get emails right away. But Outlook's focused inbox thought they were less important. Had I seen them at 7 pm on Thursday, my Friday would not have sucked as bad as it did.
Crowdstrike has its problems, but its notifications have been pretty darned good for 2+ years for us.
Obi-Juan-K-Nobi@reddit
Other than that 1 incident, I don't really have an issue with the product. I do hate focused inbox with a passion. I turn all that help right off. If I want to filter things, I set up my own rules. Thanks again, MS!
That Friday morning sucked, but we pretty much had all critical systems back up by 9 and the rest of the servers up by 11. The desktops took a little longer to touch and they were done pretty much right after lunch.
no_regerts_bob@reddit
It sounds like they didn't have any
bitanalyst@reddit
I just don't understand operating with none.
no_regerts_bob@reddit
I've seen it at a lot of small businesses.
"Nobody logs into these things except admins, why would we need EDR?"
iRyan23@reddit
No budget
Appropriate-Work-200@reddit
Shit, I'm glad I don't work for Stanford ITS for many moons. I knew they were headed to spectacular failwhale. The Blaster-era RCE worms were bad enough and my shop had G-F-S offsite vaulted backups and the world's least reliable AIT-2 SSL2020, but the era of ransomware seems like it absolutely requires pristine and tested backups (not replication) and disaster recovery and business continuity planning (DR/BCP), or it's "driving without a seatbelt".
Personally, I never trusted SonicWALL, ASA/PIX, or pfSense. Always stuck with OPNsense and/or OpenBSD on the DMZ edge. Add SPA secure port knocking and 2FA (TOTP) when/where you can.
Neon-At-Work@reddit
Got MFA on your VPN?
espero@reddit
Sure... use moee Linux at the core
Samatic@reddit
Well if I was in your position I would replace cisco Sonicwall devices with Fortigate and make sure your Veeam backup server stays off the domain.
RizzMahTism@reddit
Nope not fortigate either, they’re one of the top two targets rn (sonicwall and fortigate). Switch off them if you possibly can.
Samatic@reddit
what do you recommend then with the least 0 day vulnerabilities?
RizzMahTism@reddit
Sounds like a Zerto use case tbh. Godspeed and good luck.
Cool_Bath_77@reddit
Would a program like Threatlocker have prevented this? I am pretty sure it can be added to VPN and VMs.
RunningAtTheMouth@reddit
Sonicwall VPN was our Achilles heel. Fortigates went in two months later. No VPN, no incoming routes at first (have two now, but getting rid of them), and everyone that needs access gets ZTNA. Akira was what got us. Eff them guys.
adorablejade@reddit
This was so helpful actually thank you
Totalmustarde@reddit
Working for business that hosts a file server which needs sonicwall vpn access to get to remotely.. we have had to switch that off right now until a fix is out.. thought maybe we should just host the file server on sharepoint but then remembered that they had a zero day only a few weeks ago. Let’s just go back to pen and paper 💀
Jacob247891@reddit
I believe the SharePoint zero day only applied if running it on prem.
SharePoint online didn't have the vulnerability
no_regerts_bob@reddit
The SharePoint issue was only for on prem
Bazstad@reddit
We are currently running on pen and paper while i rebuild. It sucks.
Totalmustarde@reddit
Make sure you do your due diligence and check out your pen and paper supplier for any supply chain hacks!! 😆 Hope the rebuild goes smoothly.
themadcap76@reddit
Thankfully I had the vcenter backup exported to a sftp share that didn’t get hit and we were able to restore it that way.
youareceo@reddit
The struggle is real
MoistFaithlessness27@reddit
Indeed, you were very lucky. We are a fairly small site, 8 servers, 4 clustered for production, 4 clustered for backup at a DR site, and around 120 VMs. We were hit year before last over Thanksgiving by Blacksuit ransomware. Social engineering used to get VPN credentials. All our VMs were encrypted, including both backup servers. We were able to recover by using SAN snapshots. We were back online with 80% restored services after 2 days.
We have since implemented two-factor, limited remote acces substantially, and are now using two backup servers, both with separate immutable backups.
Ransomware sucks!
Most-Community3817@reddit
See it almost weekly….security engineer here….its nothing new, patch your firewalls and don’t use forti or Sonicwall as these are targeted heavily, patch the hell out of the infra, decom any old shite and set up regular schedules for patching
Call_Me_Papa_Bill@reddit
This is great advice.
Dependent-Moose2849@reddit
we use a neat product called perimeter 81.
It has a permanent tunnel ipsec to there VPN SaaS server.
The VPN client requires mfa to connect to the service and start the VPN and sends the data through the encrypted ipsec tunnel with a second session layer encryption..
used it at 2 jobs now and turned off the direct VPN connection built into our meraki firewall..
SeriousObligation190@reddit
Good luck buddy. We got cold ones waiting when you guys finish.
jamenjaw@reddit
Salute
overkillsd@reddit
"Salud" is the toast to good health in a few languages, is that what you were going for?
gumbrilla@reddit
I think Italian for cheers is more than acceptable. I think he was spot on.
overkillsd@reddit
So I'm Italian-American, and grew up with my family saying it like "Salud", and TIL there's multiple spellings and dialects for it:
https://www.reddit.com/r/italianlearning/comments/zt268x/my_italianamerican_mother_always_has_us_say_salud/
My bad!
gumbrilla@reddit
No worries, I saw it and thought, I know that word.. then went on a deep dive into use of Salud vs Salute..
jamenjaw@reddit
Yep that's what I wanted, short and to the point
overkillsd@reddit
My bad sir, I replied to the parent comment with some context on my misunderstanding :)
jamenjaw@reddit
Not a problem. Its hard to covay how one is saying in text.
assid2@reddit
Can you share what endpoint protection you used? Did your servers have any protection what so ever?
Yes I understand that lateral movement is a thing
banned-in-tha-usa@reddit
Had this happen many years ago. Had to call feds and let them take the servers. We were down for a month.
Typical-Parking7290@reddit
Did the servers have AV or anything? Im interested because im genuinely concerned
GroundbreakingCrow80@reddit
AV does not stop ransomware it just might slow it as attackers determine what steps to take to avoid AV intervention. SIEM XDR security posture can all help you catch it in action to stop it.
Typical-Parking7290@reddit
Ive heard that cortex does it. Palo alto firewall with cortex clients.
disclosure5@reddit
Yes, every sales person of any product will inform you that "our product stops ransomware".
There is a huge ocean between "stops currently known ransomware" and "addresses every possible future ransomware". Nothing does the latter.
hubbyofhoarder@reddit
Even if that's true (and I rather suspect it is not), the Cortex team are assholes, and the product otherwise sucks. Full of false positives over absolute bullshit, and FSM help you if an agent upgrade goes bad.
We had an agent upgrade go bad, and the agent locked up. We couldn't even uninstall the agent with the tamper protection password; it was completely unresponsive. Palo's solution was to boot all the affected machines to safe mode to uninstall and then redeploy the agent.
I kicked them out as soon as their contract was up.
roger_27@reddit (OP)
No they don't. Outside of basic windows defender
assid2@reddit
Just wondering why organizations aren't considering NAS based systems for their file servers. For example something like TrueNAS which leverages zfs?! While there are Linux based ransomware, isn't issuing pubkey authentication and TOTP for web authentication a lot more secure. As an added measure you could also use firewall rules on the nas to lock down who has access to the SSH/ web ports ( currently pending for me to still implement), also snapshots support.
strokeofluck24@reddit
We got hit as well. Sonicwall. We have backups, but it's just a clusterfuck of a situation.
Gainside@reddit
Akira has been nasty lately with how quickly it encrypts and then pivots. We’ve been recommending clients keep at least one backup completely offline/immutable to avoid backup servers getting hit
Jaded_Gap8836@reddit
We are going back to old school and have a offline backup in the fireproof safe.
p71interceptor@reddit
I wonder if one of the big next gen avs or huntress could have stopped this.
no_regerts_bob@reddit
Huntress made us aware of the sonicwall issue, which may have prevented this from happening to some of our clients.
https://www.huntress.com/blog/exploitation-of-sonicwall-vpn
twentyeightyone@reddit
During one of Huntress' recent product updates they claim they were able to stop Akira in at least one attempt Product Lab July 2025 https://www.youtube.com/live/OJyneJk7EiE?si=oJbad8pGA8TlbF7m&t=817 Support Article re Vaccines https://support.huntress.io/hc/en-us/articles/12353342482195-What-are-Vaccine-Files
moldyjellybean@reddit
SAN snapshots are by far the fastest. When we traced when it happened just went to the san and restored snapshot.
Nimble SANs are expensive but man I swear that thing works so good and there is no better support than Nimble (at least ime up to around covid when I retired they were awesome)
scott042@reddit
Email is the easiest way for them to get in. Just takes one click on a link or document to give them access. Most companies getting hit are through email alone. You have to education your users on emails day after day.
mahsab@reddit
Even if they get access to the user's endpoint, that is (should!!!) still be very, very far from getting full access to any of the server, especially backup and esxi!
Daniel0210@reddit
Not that easy tho. This is the endless circle of user education - patch management - antivirus where an attacker needs to overcome multiple problems in order to set foot in the system. Exploiting a VPN vulnerability is a lot easier when there's already PoCs out there
Stryker1-1@reddit
Curious what you have in place in terms of your security stack
bilbo-baggins125@reddit
So it’s good thing we switched to OpenVPN… maybe 🫠
permalac@reddit
Pulse secure in our case.
AdhesiveTeflon1@reddit
We got hit by the same shit last year from the sslvpn, esxi and all associated data stores went down but online backups were good.
Good luck and take this as a learning experience.
lescompa@reddit
Gave me a panick attack reading this.. Going to research lockdown mode for ESXi servers and next VBR server not part of the domain. Using immutable Wasabi backups etc but still you cant not do too much. Good luck and don't forget your mental health!
cryptme@reddit
Feel for you. Last week we also got hit by it, 10+ servers, lots of workstations. Got up and running in 3 days, reorganized the hell out of our environment. Offline and cloud backups saved the day.
Bazstad@reddit
I feel your pain, just going through the same thing. Got hit last week, lost all backup and VMs. Sonicwall vpn is now off, we had already updated software to 7.3 and changed admin passwords. As i rebuild, huntress goes on everything, and servers are on cloud backup. I hate these people with a passion.
itisloke@reddit
Same. They're evil. They'll get what's coming to them.
ThrowingPokeballs@reddit
Mfa on your vpn? Take 2 seconds to add..
DeejayCa@reddit
Correct me if I’m wrong but if there’s a vuln in the SSL VPN protocol then MFA doesn’t really help.
How else would they be gaining authentication to SSL VPN on that Sonicwall appliances?
ITRabbit@reddit
How much did they ask for? Was there anything you could have done differently? Where they in the systems for a while?
lucasberna98@reddit
Bro, inmutable backups are a must. 3-2-1-1-0 rule is soooooo cheap after you recover from an attack in a couple hours
SAL10000@reddit
https://www.tripwire.com/state-of-security/free-akira-ransomware-decryptor-released-victims-who-wish-recover-their-data
Not sure if still applicable
comagear@reddit
Had to clean up an environment two weeks ago. This is a dead end with this recent strain of Akira. Focus on rebuilding.
lucasorion@reddit
That's for the first generation of their encryption algorithm- didn't work with the updated one (we got hit by it in late July '23, cloud backups to the rescue)
HunnyPuns@reddit
In theory, it should be impossible for a situation to suck and blow at the same time, and yet here we are. Good luck on the rest of the restore. Good vibes your way.
BIG_SCIENCE@reddit
lol you got hacked? Bet the Director of IT will be asked to explain that one
Solkre@reddit
Your file shares ideally will be on an appliance not a windows server. Like TrueNAS or OnTap. NO accounts are shared between the storage network and compute network. Also scheduled offsite backups.
Public_Warthog3098@reddit
Lol
lelkekhoe@reddit
Hang in there, chief. 🫠
sufkutsafari@reddit
Ah man.. Good luck with that. :(
BourbonGramps@reddit
Feel for you.
We got hit a couple years back, thank God for backups. But restoring from Spinny drives is slow as shit.
WatchAltruistic5761@reddit
lol you don’t encrypt?
uzlonewolf@reddit
Sounds like everything but that 1 backup server was encrypted..
OhioIT@reddit
You think Bitlocker would stop it?
Daniel0210@reddit
May I wish the next cyber attack on you? Get off your high horse.
silentstorm2008@reddit
The fact there isn't more details security posture makes me want to believe you knew you had holes and didn't cover them.
Get enough sleep. This is company problem, not your problem.
TerrorToadx@reddit
Whose is it? HR?
Bro is literally the IT director
Inquisitive_idiot@reddit
There’s so many wrong things with this response but I’m gonna let somebody else take the baton and enjoy themselves 😏
ExceptionEX@reddit
Walk me through the logic of it not being his problem, I mean I guess he could quit but baring that I can't imagine it is going to be anyone but his problem.
ecatsuj@reddit
It director? It's totally their problem
laseralex@reddit
I'm a random computer nerd, not a sysadmin, but I just want to say that the fact that you have two different backup servers and were able to survive this attack impressed the everliving shit out of me. It's a warzone out there, and people like you blow me away with what you do to protect companies. Mad props to you!
ascii122@reddit
lifts a glass == so it goes .. same as it ever was
PawnF4@reddit
I have some scripts that check for hidden vms if you want them. If you’re doing a nuke and pave of your entire VMware though shouldn’t be needed
Confident_Guide_3866@reddit
Been there before