SonicWall VPN Breach: Hackers Exploit Stolen Credentials
▼ Summary
– Threat actors have compromised over 100 SonicWall SSLVPN accounts using stolen, valid credentials in a large-scale campaign observed since October 4.
– Attackers conducted network scans and attempted to access local Windows accounts after authentication, indicating reconnaissance and lateral movement efforts.
– Most malicious requests originated from IP address 202.155.8[.]73, and the campaign impacted 16 environments protected by Huntress, remaining active as of October 10.
– Researchers found no evidence linking these compromises to the recent SonicWall breach, noting that exposed configuration files have encrypted credentials requiring decryption.
– Protective measures include resetting all passwords and secrets, enabling multi-factor authentication, and restricting remote access until credentials are fully rotated.
Cybersecurity experts are raising the alarm about a widespread campaign where attackers have successfully breached more than one hundred SonicWall SSLVPN accounts using stolen login credentials. The managed security firm Huntress detected this malicious activity beginning on October 4th across numerous client networks, with the attacks continuing through at least October 10th.
Unlike brute-force attempts that guess passwords through trial and error, these intrusions leveraged previously compromised valid credentials, allowing threat actors to rapidly access multiple accounts. In many instances, the attackers logged in from the IP address 202.155.8[.]73. While some sessions ended quickly, others progressed to network reconnaissance and attempts to infiltrate local Windows accounts, indicating efforts to move laterally through affected systems.
Huntress has clarified that the credential-based attacks they observed are not connected to a separate SonicWall incident that exposed firewall configuration files for cloud backup customers. Those configuration files, although accessible, are encoded, and the sensitive credentials and secrets they contain are individually encrypted using the strong AES-256 algorithm. While determined attackers could potentially decode the files, they would still encounter encrypted passwords and keys.
To defend against such threats, SonicWall’s own security guidance recommends that system administrators take several critical actions. All local user passwords and temporary access codes should be reset immediately. Passwords on connected LDAP, RADIUS, or TACACS+ servers must be updated as well. Additionally, secrets within all IPSec site-to-site and GroupVPN policies need refreshing, and passwords for L2TP/PPPoE/PPTP WAN interfaces should be changed, with the interfaces themselves reset.
Huntress advises going further by restricting WAN management and remote access when not in use and temporarily disabling or limiting HTTP, HTTPS, SSH, and SSL VPN services until all secrets have been rotated. It is also crucial to revoke external API keys, dynamic DNS, and SMTP/FTP credentials, and to invalidate any automation secrets related to firewall and management systems.
A fundamental protective measure is ensuring all administrator and remote access accounts are secured with multi-factor authentication. When re-enabling any services, a staged approach is recommended to carefully monitor for any suspicious behavior at each step of the process.
(Source: Bleeping Computer)
