Security researchers are warning of a large-scale campaign. Attackers compromised more than 100 SonicWall SSL VPN accounts. This was done using stolen, valid login credentials. The attacks, which have been ongoing since October 4, have been observed by the security company Huntress in 16 corporate environments.
According to Huntress, the attackers log in to multiple devices simultaneously within seconds. This indicates that they have real usernames and passwords rather than performing brute-force attacks. After gaining access, network reconnaissance was performed, and attempts were made to access local Windows accounts. Most connections came from the IP address 202.155.8[.]73.
No connection to previous data breach found yet
The incidents follow shortly after the MySonicWall Cloud Backup File Incident on September 17, in which configuration backups of firewalls were inadvertently made publicly accessible. Although the timing of both events raises questions, Huntress emphasizes that there is no direct evidence linking the new attacks to the earlier data breach. SonicWall states that the configuration files are Base64-encoded and that sensitive data is separately encrypted with AES-256, making it difficult to read.
Meanwhile, several system administrators report that their devices automatically created cloud backups without being manually configured to do so. This fuels speculation that some firewalls were remotely controlled to create backups. SonicWall has not yet provided further explanation and did not immediately respond to questions about the new wave of attacks.
Both SonicWall and Huntress advise customers to take immediate action. Administrators should replace all passwords and authentication keys, renew multi-factor authentication, and temporarily disable remote access. SonicWall also published a checklist with recommendations to reset LDAP, RADIUS, and VPN passwords and to reinitialize WAN interfaces.
The attacks show how vulnerable central management systems and cloud functions can be when login details end up on the street. Companies that use SonicWall equipment are advised to thoroughly check their configurations and remain vigilant for suspicious activity.