A managed security services provider has recently identified a series of credential attacks targeting SonicWall SSLVPN devices, raising alarms in the cybersecurity community.
According to a report by Huntress, these attacks suggest a “widespread compromise” of SonicWall SSLVPN devices. The service provider emphasized that attackers are rapidly authenticating to multiple accounts across compromised devices. Notably, the technique appears to involve controlling valid credentials rather than employing brute-force methods, indicating a more sophisticated approach to the attacks.
Following SonicWall’s Backup Advisory
This alarming report comes in the wake of a notification from SonicWall, which disclosed that an unauthorized entity accessed firewall configuration backup files for all customers utilizing its cloud backup service. Though the files are encrypted, which complicates credential exploitation, SonicWall has cautioned that having these files could elevate the risk of targeted attacks.
Huntress clarified that there is currently “no evidence” linking these credential attacks to the recent backup breach. However, they encouraged users to adhere closely to SonicWall’s recommendations and consider taking additional precautionary measures.
Scope of SonicWall SSLVPN Attacks
The credential attacks have reportedly affected numerous customer environments, with the activity primarily surfacing on October 4, 2023. Huntress noted that clustered authentications continued over the following couple of days. By October 10, over 100 accounts associated with SonicWall SSLVPN across 16 customer environments had encountered potential unauthorized access attempts, originating from a specific IP address (202.155.8[.]73).
Interestingly, in some cases, attackers appeared to limit their activities, disconnecting shortly after accessing accounts. However, in other instances, there was clear evidence of post-exploitation activities, including network scanning and attempts to infiltrate various local Windows accounts.
Preventive Measures Against SonicWall Credential Attacks
In light of these incidents, Huntress has proposed several critical steps for safeguarding against credential attacks on SonicWall devices:
- Limit WAN management and remote access wherever feasible.
- Disable or restrict HTTP, HTTPS, SSH, SSL VPN, and inbound management until credentials are securely reset.
- Reset all keys and secrets on compromised devices, including admin accounts, VPN pre-shared keys, and various user credentials like LDAP, RADIUS, TACACS+, SNMP, and wireless PSKs.
- Revoke external API keys, dynamic DNS settings, SMTP/FTP credentials, and any automation secrets linked to firewall management systems.
- Enhance logging mechanisms and review recent logins and configuration changes for any unusual activity.
- After resetting credentials, gradually reintroduce services while keeping a close eye on unauthorized access attempts.
- Implement multi-factor authentication (MFA) for all administrator and remote accounts, alongside applying the principle of least privilege for management roles.
The Cyber Express has reached out to SonicWall for further comments concerning these incidents and plans to update this article with any new developments.
