A surge in attacks targeting SonicWall SSLVPN devices, affecting numerous customer networks, just weeks after a major breach exposed sensitive firewall data.
Starting October 4, 2025, threat actors have rapidly authenticated into over 100 accounts across 16 environments, using what appear to be stolen valid credentials rather than brute-force methods.
This coordinated attack highlights the growing risks to remote access tools in enterprise settings, potentially stemming from a recent cloud storage incident at SonicWall.
The compromises unfolded quickly, with clustered login attempts peaking over the next two days. In many cases, attackers connected briefly from the IP address 202.155.8[.]73 before disconnecting without further action.
However, in more severe instances, they performed network scans and tried to access local Windows accounts, indicating deeper reconnaissance or lateral movement efforts.
Huntress noted the scale and speed suggest attackers possess insider knowledge of credentials, raising alarms for organizations relying on SonicWall for secure remote access.
SonicWall SSLVPN Under Attack
SonicWall’s recent security advisory has escalated concerns by confirming that hackers accessed encrypted configuration backups for every customer using its MySonicWall cloud service.
These files contain critical data like credentials and settings, which, even encrypted, could enable targeted exploits if decrypted. The company initially reported in mid-September that fewer than 5% of firewalls were impacted, but the update on October 10 revealed the breach affected all users of the backup feature.
While Huntress has not confirmed a direct connection between the breach and the SSLVPN attacks, the timing and nature of the incidents align suspiciously.
The firm is sharing indicators of compromise, including the suspicious IP, to help defenders identify similar activity. SonicWall urges customers to log into MySonicWall.com immediately to check for affected devices and follow detailed remediation steps, such as resetting all exposed credentials.
Mitigations
To mitigate risks, businesses should act swiftly by restricting wide-area network management and remote access where feasible. Temporarily disable HTTP, HTTPS, SSH, SSL VPN, and inbound management interfaces until credentials are fully reset.
This includes revoking local admin passwords, VPN pre-shared keys, LDAP or RADIUS bind credentials, wireless passphrases, and SNMP settings on impacted firewalls.
Further, organizations must roll over external API keys, dynamic DNS configurations, SMTP or FTP accounts, and any automation secrets linked to management systems.
Enhanced logging is crucial for reviewing recent logins and changes for anomalies, retaining records for forensic analysis. Once resets are complete, re-enable services gradually while monitoring for unauthorized re-entry.
Enforcing multi-factor authentication on all admin and remote accounts, alongside applying least-privilege principles, will bolster defenses long-term.
Huntress continues tracking these threats and offers guidance through its support resources, emphasizing proactive vigilance in an era of credential-based attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
