Cybersecurity researchers have uncovered a widespread campaign targeting SonicWall SSLVPN accounts, with over 100 compromised across 16 different environments. The campaign, first observed by cybersecurity firm Huntress on October 4, involves attackers using stolen, valid credentials to gain access, bypassing traditional brute-force methods.
According to Huntress, the threat actors are logging into multiple accounts across affected devices. In some cases, the attackers disconnected shortly after logging in, but in others, they engaged in deeper activity scanning networks and attempting to access local Windows accounts in what appeared to be early stages of a broader intrusion effort.
Much of the malicious activity has been traced to the IP address 202.155.8[.]73, with post-authentication behavior consistent with reconnaissance and lateral movement techniques. Despite the widespread nature of the attacks, Huntress has found no direct link between this campaign and a recent SonicWall breach that exposed firewall configuration files of cloud backup customers.
SonicWall noted that while configuration files are encoded, sensitive credentials within are encrypted using AES-256 encryption, meaning attackers who access the files would not have immediate access to plaintext passwords or keys.
The origin and full scope of the campaign are unclear at the moment. In the meantime, system administrators are advised to reset all local passwords and access codes, rotate VPN and WAN interface credentials, and restrict remote access features such as HTTP, HTTPS, SSH, and SSL VPN where unnecessary.
