SonicWall VPN Accounts Breached in Large-Scale Attack

Recent reports indicate that threat actors have successfully compromised over a hundred SonicWall SSLVPN accounts in a widespread campaign utilizing stolen credentials. The attacks, which began on October 4 and were still ongoing as of October 10, have raised significant concerns among cybersecurity experts.

According to researchers at Huntress, who observed the malicious activity across multiple customer environments, the attackers swiftly gained access to the compromised devices using valid credentials, rather than resorting to brute-force methods. This rapid and coordinated approach suggests a sophisticated operation behind the breaches.

While some instances saw the attackers disconnecting shortly after gaining access, others involved more nefarious activities such as network scans and attempts to infiltrate local Windows accounts. The majority of the compromised accounts were targeted from the IP address 202.155.8[.]73, indicating a centralized source of the attacks.

Despite the severity of the breaches, Huntress researchers have not found any direct links to the recent SonicWall breach that exposed firewall configuration files for cloud backup customers. These files, containing sensitive data, are heavily encrypted to protect authentication passwords and keys using the AES-256 algorithm.

As a precautionary measure, SonicWall has issued a security checklist for system administrators, outlining steps to reset and update passwords, update server credentials, and enhance protection for various network interfaces. Additionally, Huntress recommends restricting WAN management and remote access, as well as revoking and rotating API keys, credentials, and automation secrets.

Furthermore, Huntress advocates for the implementation of multi-factor authentication for all administrative and remote accounts, along with a staged reintroduction of services to monitor for any suspicious activities. These proactive measures aim to mitigate the risk of further breaches and strengthen overall network security.

Picus BAS Summit: Shaping the Future of Security Validation