Huntress observed a widespread compromise of SonicWall SSLVPN devices beginning October 4, with rapid authentications across over 100 accounts in 16 customer environments suggesting use of valid credentials rather than brute force. SonicWall disclosed an unrelated-seeming MySonicWall platform breach exposing encrypted firewall backup files, and organizations are urged to follow containment/remediation steps including resetting secrets and enforcing MFA. #SonicWall #MySonicWall
Keypoints
- Huntress detected clustered, rapid authentications to SonicWall SSLVPN devices starting October 4, with much of the activity occurring over the following two days.
- Over 100 SonicWall SSLVPN accounts across 16 customer accounts were impacted in the observed incidents.
- Authentications in observed cases originated from IP 202.155.8[.]73, and behavior indicates attackers likely used valid credentials rather than brute-force techniques.
- Some intrusions showed limited activity with short disconnects, while others involved post-exploitation actions such as network scanning and attempts to access local Windows accounts.
- SonicWall issued an advisory that an attack on MySonicWall exposed encrypted firewall backup files containing credentials and configuration data for customers using the cloud backup service.
- SonicWall’s expanded advisory increased scope from an initial claim of fewer than 5% of installations being affected; Huntress has no definitive evidence linking the advisory to the SSLVPN compromises.
- Recommended actions include restricting WAN/remote management, resetting all secrets and keys, revoking external API/automation credentials, increasing logging and forensics, and enforcing MFA for admin/remote accounts.
MITRE Techniques
- [T1078] Valid Accounts – Threat actors authenticated rapidly into multiple SonicWall SSLVPN accounts, implying control of valid credentials rather than brute force: ‘the attackers appear to control valid credentials rather than brute-forcing.’
- [T1190] Exploit Public-Facing Application – Access to the MySonicWall platform allowed unauthorized retrieval of firewall configuration backup files: ‘an attack on its MySonicWall platform gave an unauthorized party access to firewall configuration backup files.’
- [T1016] System Network Configuration Discovery – Post-exploitation activity included network scanning to discover targets within customer networks: ‘the actors conducting network scanning activity and attempting to access numerous local Windows accounts.’
- [T1110] Brute Force (not observed) – The report contrasts observed activity with brute-force techniques, noting the speed/scale indicate credential access rather than brute forcing: ‘the speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.’
- [T1530] Data from Cloud Storage – Unauthorized access to cloud-stored SonicWall backup files exposed encrypted credentials and configuration data: ‘access to the files could increase the risk of targeted attacks’ (SonicWall advisory).
Indicators of Compromise
- [IP Address] authentication origin – 202.155.8[.]73
- [Accounts] impacted SonicWall SSLVPN accounts – over 100 accounts across 16 customer accounts (no individual usernames provided)
- [Service/Platform] vulnerable service – MySonicWall platform backup files accessed (cloud backup service)
- [Activity] observed actions – network scanning activity and attempts to access local Windows accounts (no file hashes or domains published)
Read more: https://www.huntress.com/blog/sonicwall-sslvpn-compromise