A managed security services provider has detected credential attacks on SonicWall SSLVPN devices.
The attacks, reported by Huntress, involve “widespread compromise” of SonicWall SSLVPN devices.
“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” the service provider said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
Report Follows SonicWall Backup Advisory
The report follows a SonicWall advisory that an unauthorized party had accessed firewall configuration backup files for all SonicWall customers who have used the company’s cloud backup service.
The configuration files contain encrypted credentials and configuration data, and encryption would make credential exploitation challenging, but SonicWall nonetheless noted that “possession of these files could increase the risk of targeted attacks.”
Huntress said there is “no evidence” to link the credential attacks to the SonicWall backup breach, but urged users to follow SonicWall’s guidance and take additional steps.
SonicWall SSLVPN Attacks Widespread
The SonicWall SSLVPN credential attacks have occurred across “multiple customer environments,” Huntress said.
Much of the attack activity started on October 4, “with clustered authentications occurring over the course of the following two days.”
As of October 10, more than 100 SonicWall SSLVPN accounts across 16 customer environments had been affected, the service provider said. Authentication attempts on the SonicWall devices originated from the IP 202.155.8[.]73.
“In some instances, the actors did not appear to generate further adversarial activity in the network, disconnecting after a short period,” the service provider said. “In other cases, there was evidence of post-exploitation activity, with the actors conducting network scanning activity and attempting to access numerous local Windows accounts.”
Protecting Against SonicWall Credential Attacks
Actions recommended by Huntress include:
- Restricting WAN management and remote access wherever possible
- Disabling or limiting HTTP, HTTPS, SSH, SSL VPN and inbound management until credentials are reset
- Resetting all secrets and keys on affected devices, including local admin accounts, VPN pre-shared keys, LDAP/RADIUS/TACACS+ bind credentials, wireless PSKs and SNMP credentials
- Revoking external API keys, dynamic DNS, SMTP/FTP credentials and “any automation secrets that touch the firewall or management systems”
- Increasing logging and reviewing recent logins and configuration changes for suspicious activity
- After resetting, reintroduce services one by one and monitor for reappearance of unauthorized access
- Enforce multi-factor authentication (MFA) for all admin and remote accounts and apply least privilege to management roles.
The Cyber Express has reached out to SonicWall for comment and will update this article with any further information.
