As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments. Threat actors are authenticating into multiple accounts rapidly across compromised devices. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.
The bulk of the activity started on October 4, with clustered authentications occurring over the course of the following two days. So far, over 100 SonicWall SSLVPN accounts across 16 customer accounts have been impacted. In the cases observed, authentications on the SonicWall devices originated from 202.155.8[.]73.
In some instances, the actors did not appear to generate further adversarial activity in the network, disconnecting after a short period. In other cases, there was evidence of post-exploitation activity, with the actors conducting network scanning activity and attempting to access numerous local Windows accounts.
SonicWall advisory
SonicWall this week released a security advisory update warning that an attack on its MySonicWall platform gave an unauthorized party access to firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. The files include encrypted credentials and configuration data. While credentials in the files are encrypted, access to the files could increase the risk of targeted attacks, said SonicWall.
The expanded incident scope update comes after an initial security advisory in mid-September, where SonicWall had originally said that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of its firewall install base.
Notably, we have no evidence to link this advisory to the recent spike in compromises that we have seen. However, none may exist allowing us to discern that activity from our vantage point. We are reporting the indicators of compromise and data regarding mass compromise that we’ve seen.
Next steps
Huntress is continuing to track this spike in SSLVPN compromises that we have observed across our customer base, and working with our partners to assist with next steps. We are also monitoring SonicWall’s latest security alert, and have a FAQ available with further guidance for businesses.
SonicWall has recommended that customers log in to their MySonicWall.com accounts and verify if their devices are impacted. If they are, they should follow the specific containment and remediation guidelines outlined in SonicWall’s threat advisory.
Beyond reading and following SonicWall’s guidance and remediation recommendations, here are some other steps that businesses can take:
Immediately restrict WAN management and remote access where possible.
Disable or limit HTTP, HTTPS, SSH, SSL VPN and inbound management until credentials are reset.
Reset all secrets and keys on affected devices now. This includes local admin accounts, VPN pre-shared keys, LDAP/RADIUS/TACACS+ bind credentials, wireless PSKs and SNMP credentials.
Revoke and roll any external API keys, dynamic DNS, SMTP/FTP credentials and any automation secrets that touch the firewall or management systems.
Increase logging and review recent logins and configuration changes for suspicious activity. Retain forensic logs while you investigate.
After resets, reintroduce services one at a time and monitor for reappearance of unauthorised access.
Enforce MFA for all admin and remote accounts and apply least privilege to management roles.
