Just weeks after SonicWall disclosed an incident that exposed data from its MySonicWall cloud backup platform, new findings from Huntress suggest the situation is far from over — this time pointing to a fresh wave of SonicWall SSLVPN compromises.
According to Huntress, a new round of breaches targeting SonicWall SSLVPN devices emerged in early October, affecting at least 16 organizations and more than 100 accounts. Unlike the earlier cloud-side breach, the latest intrusions involve attackers logging into the VPN appliances using valid credentials.
“As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments,” Huntress said in a blog post. “Threat actors are authenticating into multiple accounts rapidly across compromised devices. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
While SonicWall had warned that the September incident allowed an unauthorized party to access firewall configuration backup files, including encrypted credentials and configuration data, it is unclear if the credentials used in Huntress found compromises came from the same incident.
SonicWall did not immediately respond to CSO’s request for comments.
Attackers are logging in, not breaking in
The September SonicWall disclosure concerned a breach of its MySonicWall cloud backup service, involving unauthorized access of configuration files impacting “fewer than 5% of customers.”
Huntress’ new discovery, however, points to a separate, credential-driven campaign. Starting around October 4, Huntress observed mass logins into SonicWall SSLVPN devices from attacker-controlled IPs – one notably traced to 202.155.8[.]73. Many login sessions were brief, but others involved deeper network reconnaissance and attempts to access internal Windows accounts, suggesting lateral movement attempts.
“We have no evidence to link this (SonicWall’s) advisory to the recent spike in compromises that we have seen,” Huntress noted, adding that “none may exist allowing us to discern that activity from our vantage point.”
Even if threat actors were able to decode the compromised files from the September breach, they would see the credentials in encrypted forms, SonicWall advisory had noted. In other words, whoever’s logging into SonicWall devices right now probably didn’t get their keys from those backup files.
What defenders should watch out for
Huntress highlighted that, in a few cases, successful SSLVPN authentication was followed by internal reconnaissance traffic or access attempts to Windows administrative accounts. Additionally, logins originating from a single recurring public IP may suggest a coordinated campaign rather than random credential reuse.
On top of the steps outlined in SonicWall’s advisory, Huntress’ blog offered additional defensive actions for organizations using SonicWall devices. It urged administrators to restrict remote management interfaces, reset all credentials and secrets, review SSLVPN logs for signs of unusual authentications, and enable multi-factor authentication (MFA) wherever possible.
SonicWall gear has remained a recurring target for threat groups, with recent attacks abusing improperly patched firewalls. The Akira ransomware gang exploited known access control flaws (CVE-2024-40766) in SonicWall appliances. Earlier in the year, customers were also warned of critical authentication bypass and rootkit-style backdoors targeting SonicWall appliances.
No Responses