{"id":5357,"date":"2025-10-14T08:51:01","date_gmt":"2025-10-14T08:51:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5357"},"modified":"2025-10-14T08:51:01","modified_gmt":"2025-10-14T08:51:01","slug":"sonicwall-vpns-face-a-breach-of-their-own-after-the-september-cloud-backup-fallout","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5357","title":{"rendered":"SonicWall VPNs face a breach of their own after the September cloud-backup fallout"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Just weeks after SonicWall disclosed an incident that exposed data from its MySonicWall cloud backup platform, new findings from Huntress suggest the situation is far from over \u2014 this time pointing to a fresh wave of SonicWall SSLVPN compromises.<\/p>\n<p>According to Huntress, a new round of breaches targeting SonicWall SSLVPN devices emerged in early October, affecting at least 16 organizations and more than 100 accounts. Unlike the earlier <a href=\"https:\/\/www.csoonline.com\/article\/4070992\/data-leak-at-sonicwall-affects-all-cloud-backup-customers.html\" target=\"_blank\" rel=\"noopener\">cloud-side breach<\/a>, the latest intrusions involve attackers logging into the VPN appliances using valid credentials.<\/p>\n<p>\u201cAs of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments,\u201d Huntress said in a blog post. \u201cThreat actors are authenticating into multiple accounts rapidly across compromised devices. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.\u201d<\/p>\n<p>While SonicWall had <a href=\"https:\/\/www.sonicwall.com\/support\/knowledge-base\/mysonicwall-cloud-backup-file-incident\/250915160910330\">warned<\/a> that the September incident allowed an unauthorized party to access firewall configuration backup files, including encrypted credentials and configuration data, it is unclear if the credentials used in Huntress found compromises came from the same incident.<\/p>\n<p>SonicWall did not immediately respond to CSO\u2019s request for comments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Attackers are logging in, not breaking in<\/h2>\n<p>The September SonicWall disclosure concerned a breach of its MySonicWall cloud backup service, involving unauthorized access of configuration files <a href=\"https:\/\/www.sonicwall.com\/support\/knowledge-base\/mysonicwall-cloud-backup-file-incident\/250915160910330#:~:text=to%20clarify%20scope-,(%3C5%25%20of%20firewalls),-%2C%20encrypted%20credentials%2C%20no\">impacting<\/a> \u201cfewer than 5% of customers.\u201d<\/p>\n<p>Huntress\u2019 new discovery, however, points to a separate, credential-driven campaign. Starting around October 4, Huntress observed mass logins into SonicWall SSLVPN devices from attacker-controlled IPs \u2013 one notably traced to 202.155.8[.]73. Many login sessions were brief, but others involved deeper network reconnaissance and attempts to access internal Windows accounts, suggesting lateral movement attempts.<\/p>\n<p>\u201cWe have no evidence to link this (SonicWall\u2019s) advisory to the recent spike in compromises that we have seen,\u201d Huntress <a href=\"https:\/\/www.huntress.com\/blog\/sonicwall-sslvpn-compromise\" target=\"_blank\" rel=\"noopener\">noted<\/a>, adding that \u201cnone may exist allowing us to discern that activity from our vantage point.\u201d<\/p>\n<p>Even if threat actors were able to decode the compromised files from the September breach, they would see the credentials in encrypted forms, SonicWall advisory had noted. In other words, whoever\u2019s logging into SonicWall devices right now probably didn\u2019t get their keys from those backup files.<\/p>\n<h2 class=\"wp-block-heading\">What defenders should watch out for<\/h2>\n<p>Huntress highlighted that, in a few cases, successful SSLVPN authentication was followed by internal reconnaissance traffic or access attempts to Windows administrative accounts. Additionally, logins originating from a single recurring public IP may suggest a coordinated campaign rather than random credential reuse.<\/p>\n<p>On top of the steps outlined in SonicWall\u2019s advisory, Huntress\u2019 blog offered additional defensive actions for organizations using SonicWall devices. It urged administrators to restrict remote management interfaces, reset all credentials and secrets, review SSLVPN logs for signs of unusual authentications, and enable multi-factor authentication (MFA) wherever possible. <\/p>\n<p>SonicWall gear has remained a recurring target for threat groups, with recent attacks abusing improperly patched firewalls. The Akira ransomware gang <a href=\"https:\/\/www.csoonline.com\/article\/4056080\/ransomware-gang-going-after-improperly-patched-sonicwall-firewalls.html\">exploited<\/a> known access control flaws (CVE-2024-40766) in SonicWall appliances. Earlier in the year, customers were also warned of critical <a href=\"https:\/\/www.csoonline.com\/article\/3706518\/sonicwall-firewall-hit-with-critical-authentication-bypass-vulnerability.html\">authentication bypass<\/a> and <a href=\"https:\/\/www.csoonline.com\/article\/4024395\/ransomware-actors-target-patched-sonicwall-sma-devices-with-rootkit.html\">rootkit-style backdoors<\/a> targeting SonicWall appliances.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Just weeks after SonicWall disclosed an incident that exposed data from its MySonicWall cloud backup platform, new findings from Huntress suggest the situation is far from over \u2014 this time pointing to a fresh wave of SonicWall SSLVPN compromises. According to Huntress, a new round of breaches targeting SonicWall SSLVPN devices emerged in early October, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5358,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5357","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5357"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5357"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5357\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5358"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}