SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016 For the last week, scans for Sonicwall API "login" and "domain" endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials. https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906 The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates. https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/ Windows RDP Access is Possible with Old Credentials Credential caching may lead to Windows allowing RDP logins with old credentials. https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments keywords: Sonicwall; Windows; RDP; SLAAC; IPv6;