Security researchers have discovered that more than 100 SonicWall SSLVPN accounts have been compromised in a large-scale campaign. Attackers used stolen, valid credentials to access these accounts.
The activity started around October 4, according to managed cybersecurity platform Huntress, and affected multiple customer environments. In some cases, the attackers disconnected quickly. In others, they performed network scans and tried to access local Windows accounts.
Huntress explained that the attackers are logging into multiple accounts very quickly. It shows that they control valid credentials rather than attempting a brute-force attack. The compromised accounts spanned 16 different environments protected by Huntress. Most malicious activity came from the IP address 202.155.8[.]73.
After authentication, the attackers focused on reconnaissance and lateral movement, trying to access many local Windows accounts. Huntress also clarified that these compromises do not appear to be connected to the recent SonicWall breach that exposed cloud backup firewall configuration files.
SonicWall’s configuration files contain highly sensitive information, but they are encoded, and credentials are encrypted with AES-256, meaning attackers cannot easily read them even if they access the files.
SonicWall recommends administrators take the following steps:
- Reset and update all local user passwords and temporary access codes
- Update passwords on LDAP, RADIUS, or TACACS+ servers
- Update secrets in IPSec site-to-site and GroupVPN policies
- Update and reset L2TP/PPPoE/PPTP WAN interface passwords
Huntress recommends several additional measures to reduce risk. Administrators should restrict WAN management and remote access when they are not needed, and disable or limit HTTP, HTTPS, SSH, and SSL VPN until all secrets have been rotated. They should also revoke external API keys, dynamic DNS entries, and SMTP or FTP credentials, while ensuring that all admin and remote accounts are protected with multi-factor authentication. Finally, any services that are reintroduced should be done in a staged manner to carefully monitor for suspicious activity at each step.
