In the wake of the recent compromise of SonicWall firewall configuration files, Huntress warns of a widespread campaign targeting SonicWall SSL VPN accounts across multiple businesses.
The attackers, the cybersecurity outfit says, are rapidly logging into multiple SSL VPN accounts across compromised devices, likely using valid credentials rather than brute-forcing them.
Most of the activity occurred on October 4, and continued in clusters over the following days. By October 10, more than 100 SonicWall SSL VPN accounts across 16 environments were compromised as part of the campaign.
The authentication attempts came from the same IP address, and in most cases the attackers were seen disconnecting from the compromised network without performing additional activities.
“In other cases, there was evidence of post-exploitation activity, with the actors conducting network scanning activity and attempting to access numerous local Windows accounts,” Huntress says.
The warning came days after SonicWall announced that all users who stored firewall configuration files using its cloud backup service were impacted by a September data breach.
As part of the attack, hackers accessed the preference files of all firewalls configured with MySonicWall as the cloud backup service. Given that these files contain encrypted credentials and configuration data, the compromise poses a high risk to the affected organizations, SonicWall said last week.
According to Huntress, there is no evidence that the fresh campaign is related to the MySonicWall data breach, but that does not rule out a potential connection between the two.
“Notably, we have no evidence to link [the SonicWall] advisory to the recent spike in compromises that we have seen. However, none may exist allowing us to discern that activity from our vantage point. We are reporting the indicators of compromise and data regarding mass compromise that we’ve seen,” Huntress says.
The cybersecurity firm recommends restricting WAN management and remote access, resetting credentials, disabling or limiting remote management until credentials are rotated, and revoking and re-rolling external APIs and automation secrets.
Organizations should also review logs for unusual login attempts, gradually reintroduce services after credential rotation and monitor for unauthorized access, and enforce multi-factor authentication (MFA) for all administrator and remote access accounts.
Related: Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign
Related: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues
Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware
Related: Widespread Infostealer Campaign Targeting macOS Users
