Cybersecurity researchers at Huntress have detected a widespread attack campaign targeting SonicWall SSL VPN devices across multiple customer environments, with over 100 accounts compromised since early October.
The attacks appear coordinated and sophisticated, with threat actors rapidly authenticating into multiple accounts using what appears to be valid credentials rather than brute-force techniques.
Cyber breach alert highlighting compromised cloud backup and imminent data loss risk
Rapid-Fire Attack Campaign Emerges
Starting October 4, security analysts observed clustered authentication attempts across 16 customer networks, with the bulk of malicious activity concentrated over two days.
The speed and scale of these intrusions suggest attackers possessed legitimate credentials, enabling them to bypass traditional security measures.
All observed attacks originated from the IP address 202.155.8.73, indicating a centralized command structure.
In many cases, attackers established brief connections before disconnecting, suggesting reconnaissance activities.
However, several incidents escalated to post-exploitation phases, with threat actors conducting network scanning operations and attempting to access local Windows accounts across compromised environments.
The timing coincides with SonicWall’s recent security advisory update, revealing that unauthorized parties accessed firewall configuration backup files for all customers using the company’s cloud backup service through the MySonicWall platform.
These files contain encrypted credentials and configuration data that could facilitate targeted attacks, despite encryption protections.
This represents a significant expansion from SonicWall’s initial September disclosure, which claimed fewer than 5% of firewall installations were affected.
The company has not established a direct connection between the backup breach and the current SSL VPN compromise wave, though the correlation raises serious concerns about coordinated exploitation efforts.
SonicWall urges customers to immediately verify their device status through MySonicWall.com accounts and implement comprehensive security measures.
Critical steps include restricting WAN management access, disabling HTTP, HTTPS, SSH, and SSL VPN services until credential resets are completed.
Organizations must reset all authentication secrets including local admin accounts, VPN pre-shared keys, LDAP credentials, and SNMP settings.
External API keys, dynamic DNS credentials, and automation secrets require immediate revocation and replacement. Enhanced logging should monitor recent configuration changes and login attempts for suspicious activity.
After implementing resets, services should be reintroduced gradually with continuous monitoring for unauthorized access attempts.
Multi-factor authentication must be enforced for all administrative and remote accounts, with least-privilege principles applied to management roles.
Huntress continues tracking this campaign while collaborating with partners on remediation efforts, emphasizing the critical nature of immediate action to prevent further network infiltration.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
