Huntress has raised an alert over a wave of unauthorized logins targeting SonicWall SSL VPN devices, saying more than 100 VPN accounts across 16 customer environments were accessed using valid credentials rather than brute-force attempts. The offense began on October 4, with a machine-driven storm of authentications traced back to IP address 202.155.8[.]73. According to Huntress, some connections dropped quickly after login, suggesting automated credential validation, while others progressed into network scanning and attempts to interact with local Windows accounts, cearly-stage post-exploitation behavior.
This spike coincides with SonicWall’s admission that firewall configuration backup files stored in its MySonicWall cloud service were accessed by an unauthorized party, expanding the impact far beyond initial estimates of under 5%. The stolen preference files contain encrypted credentials, user and domain references, DNS configurations and certificate data. SonicWall maintains there is no official link established between the backup file breach and the VPN compromises detected by Huntress, but analysts note the timing and method of access align with credential-based intrusion patterns.
Akira ransomware affiliates are targeting SonicWall appliances, exploiting CVE-2024-40766 to gain initial network access. Darktrace previously documented an August incident involving a compromised SonicWall VPN server, lateral movement activities, privilege escalation via UnPAC the Hash, and signs of data exfiltration ahead of ransomware deployment.
SonicWall has instructed customers using cloud backups to log into their MySonicWall accounts, check for flagged devices, and reset all associated secrets, including VPN pre-shared keys, admin passwords, SNMP strings and API tokens. The company warns that updating the configuration files is disruptive. It will unfortunately break existing VPN bindings and MFA setups. Users absolutely must schedule this fix during a planned maintenance window to minimize impact.
Huntress recommends restricting WAN management, immediately revoke exposed automation keys, enabling detailed logging and enforcing MFA on all remote and admin access paths, while monitoring for repeated login attempts tied to the identified IP.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
