Researchers have warned that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign using stolen, legitimate credentials.
Although in some cases the attackers disconnected after a short time, in others they performed network scans and attempted to access local Windows accounts.
The majority of this activity began on October 4, as observed by Huntress, a managed cybersecurity platform across multiple customer environments.
“Threat actors are increasingly authenticating multiple accounts into compromised devices,” the researchers said, adding, “The speed and scale of these attacks suggests that the attackers appear to be controlling legitimate credentials rather than brute-force them.”
The attacks affected more than 100 SonicWall SSLVPN accounts across 16 environments protected by Huntress, indicating a significant and widespread campaign that was still ongoing on October 10.
In the majority of cases, the malicious requests originated from the IP address 202.155.8(.)73, researchers said,
Following the authentication phase, Huntress observed activity typical for the reconnaissance and lateral movement phases of the attack as the threat actor tried to access a large number of local Windows accounts.
Huntress underlined that they found no evidence of compromises linked to the recent SonicWall breach, which exposed firewall configuration files for all cloud backup customers.
Because they contain highly sensitive data, these files are encrypted, and the credentials and secrets contained within them are individually encrypted using the AES-256 algorithm.
While an attacker can decode the files, they will see authentication passwords and keys in encrypted form, the network security company said. Explained,
BleepingComputer has contacted SonicWall for comment on the activity observed by Huntress researchers, but no statement was immediately available.
According to SonicWall’s security checklist, system administrators need to take the following protective steps:
- Reset and update all local user passwords and temporary access codes
- Update passwords on an LDAP, RADIUS, or TACACS+ server
- Update secrets in all IPSec site-to-site and GroupVPN policies
- Update L2TP/PPPoE/PPTP WAN Interface Password
- Reset L2TP/PPPoE/PPTP WAN Interface
Huntress proposes additional measures to immediately restrict WAN management and remote access when not required, and to disable or limit HTTP, HTTPS, SSH, and SSL VPNs until all secrets are encrypted.
External API keys, dynamic DNS, and SMTP/FTP credentials should also be revoked, and automation secrets related to firewall and management systems should be invalidated.
All administrator and remote accounts should be protected by multi-factor authentication. Resumption of service should be done in a phased manner to monitor suspicious activity at each stage.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
