SonicWall VPN accounts compromised with stolen login credentials

SonicWall VPN accounts compromised with stolen login credentials

Briefly

"Attackers compromised more than 100 SonicWall SSL VPN accounts. This was done using stolen, valid login credentials. The attacks, which have been ongoing since October 4, have been observed by the security company Huntress in 16 corporate environments. According to Huntress, the attackers log in to multiple devices simultaneously within seconds. This indicates that they have real usernames and passwords rather than performing brute-force attacks."

"The incidents follow shortly after the MySonicWall Cloud Backup File Incident on September 17, in which configuration backups of firewalls were inadvertently made publicly accessible. Although the timing of both events raises questions, Huntress emphasizes that there is no direct evidence linking the new attacks to the earlier data breach. SonicWall states that the configuration files are Base64-encoded and that sensitive data is separately encrypted with AES-256, making it difficult to read."

"This fuels speculation that some firewalls were remotely controlled to create backups. SonicWall has not yet provided further explanation and did not immediately respond to questions about the new wave of attacks. Both SonicWall and Huntress advise customers to take immediate action. Administrators should replace all passwords and authentication keys, renew multi-factor authentication, and temporarily disable remote access. SonicWall also published a checklist with recommendations to reset LDAP, RADIUS, and VPN passwords and to reinitialize WAN interfaces."