What's Happening?
A recent campaign has targeted SonicWall SSL VPN accounts across multiple businesses, following the compromise of SonicWall firewall configuration files. Huntress, a cybersecurity firm, reports that attackers are logging into multiple SSL VPN accounts using valid credentials rather than brute-forcing them. The activity began on October 4 and continued in clusters, affecting over 100 accounts across 16 environments by October 10. The attacks originated from the same IP address, with some cases showing post-exploitation activities such as network scanning and attempts to access local Windows accounts. This campaign follows a September data breach where hackers accessed encrypted credentials and configuration data from SonicWall's cloud backup service.
Why It's Important?
The targeting of SonicWall SSL VPN accounts poses significant risks to affected organizations, as it involves unauthorized access to sensitive network resources. The use of valid credentials suggests a high level of sophistication and potential insider threat. Organizations relying on SonicWall's services may face operational disruptions and data breaches, impacting their cybersecurity posture. The incident underscores the importance of robust security measures, including multi-factor authentication and regular monitoring of network activities, to prevent unauthorized access and mitigate potential damages.
What's Next?
Organizations are advised to restrict WAN management and remote access, reset credentials, and enforce multi-factor authentication for all administrator and remote access accounts. SonicWall users should review logs for unusual login attempts and gradually reintroduce services after credential rotation. The cybersecurity community will likely continue monitoring the situation for further developments and potential connections to the previous data breach.
