Researchers warn that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign using stolen, valid credentials.
Although in some cases the attackers disconnected after a short period, in others they followed up with network scans and attempts to access local Windows accounts.
Most of this activity began on October 4, as observed by managed cybersecurity platform Huntress at multiple customer environments.
“Threat actors are authenticating into multiple accounts rapidly across compromised devices," the researchers said, adding that "the speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
The attacks have impacted over 100 SonicWall SSLVPN accounts across 16 environments that Huntress protects, indicating a significant and widespread campaign that was still ongoing on October 10.
In most cases, the malicious requests originated from the IP address 202.155.8[.]73, the researchers said.
After the authentication step, Huntress observed activity specific to the reconnaissance and lateral movement steps of an attack as the threat actor tried to access a large number of local Windows accounts.
Huntress underlines that they did not find evidence connecting the spate of compromises they observed to the recent SonicWall breach that exposed the firewall configuration files for all cloud backup customers.
Because they contain highly sensitive data, these files are encoded, and the credentials and secrets within are individually encrypted using the AES-256 algorithm.
While an attacker could decode the files, they would see the authentication passwords and keys in encrypted form, the network security company explained.
... continue reading