Cybersecurity researchers are sounding the alarm about a large-scale campaign that has compromised more than 100 SonicWall SSLVPN accounts. The attackers are not using brute-force methods, but rather, are leveraging stolen, valid credentials to gain access. This allows them to quickly and effectively authenticate into multiple accounts across compromised devices. The speed and scope of these attacks suggest a well-organized effort that began around October 4, with most of the observed malicious activity coming from a single IP address.
Once inside the networks, the attackers have been observed conducting reconnaissance and attempting to move laterally within the systems. While some of the login attempts were brief, many were followed by network scans and attempts to access local Windows accounts. The goal of this lateral movement is likely to find more valuable data or to establish a more persistent presence on the network. The attacks have impacted at least 16 different environments protected by the managed cybersecurity platform Huntress, indicating a significant and widespread threat.
It’s important to note that Huntress found no evidence connecting these recent compromises to a previous SonicWall breach that exposed firewall configuration files. The company explained that even if an attacker were to obtain these files, the sensitive credentials and secrets within them are individually encrypted using a strong algorithm. While the files can be decoded, the passwords and keys remain in an encrypted form, making them useless to an unauthorized party. This separation helps confirm that the current wave of attacks is relying on a different set of compromised data.
To protect against these attacks, SonicWall has provided a list of protective steps for system administrators. These include resetting and updating all local user passwords and temporary access codes, as well as updating passwords on LDAP, RADIUS, or TACACS+ servers. Additionally, they recommend updating secrets in all IPSec policies and resetting passwords for L2TP/PPPoE/PPTP WAN interfaces. These measures are crucial for cutting off the attackers’ access and securing the network from further unauthorized activity.
Huntress also suggests a number of additional precautions. They advise immediately restricting remote access and WAN management when they are not necessary, and disabling or limiting HTTP, HTTPS, SSH, and SSL VPN until all secrets have been rotated. Furthermore, administrators should revoke external API keys and invalidate automation secrets related to firewalls and management systems. Crucially, all admin and remote accounts should be protected with multi-factor authentication. Finally, the re-introduction of services should be done in a staged manner to allow for close observation of any suspicious activity at each step.
Reference:
