Surge in SSLVPN Attacks Follows SonicWall Security Breach

A significant increase in cyberattacks targeting SonicWall SSLVPN devices has emerged following a breach that exposed sensitive customer data. The cybersecurity firm Huntress confirmed in mid-September 2023 that firewall backups stored in the cloud were compromised, allowing unauthorized access to critical information. As of now, more than 100 accounts across 16 client environments have been impacted by these attacks.

The nature of the attacks indicates that perpetrators are leveraging stolen credentials rather than employing brute-force techniques. Huntress emphasized that “the speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.” This revelation raises serious concerns about the security of enterprise networks that rely on remote access infrastructures.

Details of the SonicWall Breach

In a security advisory issued in September 2023, SonicWall confirmed that an unauthorized party accessed encrypted configuration backups for customers using its MySonicWall cloud backup service. These backups contained sensitive data, including credentials and configuration details, which, if decrypted, could facilitate targeted exploits.

The coordinated attacks began on October 4, 2023, with a notable increase in authentication attempts noted over the following days. Huntress tracked many of these login attempts back to a single IP address, 202[.]155[.]8[.]73. While in some instances, attackers logged in briefly and disconnected without further actions, there were more serious cases where they conducted internal network scans and attempted to access local Windows accounts. This suggests a potential reconnaissance effort or lateral movement within the network.

The rapid succession of logins across multiple environments and accounts points to attackers having prior access to valid credentials, possibly linked to the data exposed in the SonicWall breach. Although Huntress has yet to conclusively tie the two incidents, the timing and methods strongly suggest a connection.

Mitigation Strategies for Organizations

In response to these escalating threats, organizations are urged to take immediate and decisive action to secure their remote access systems and restore the integrity of their credentials. Experts recommend several proactive measures:

– Limit WAN management and remote access whenever feasible, temporarily disabling HTTP, HTTPS, SSH, SSLVPN, and any inbound management interfaces.
– Reset all credentials and keys associated with affected firewalls, including local admin passwords and VPN pre-shared keys.
– Revoke and roll over external keys, including API tokens and any automation secrets linked to firewall management systems.
– Implement enhanced logging mechanisms and retain records for forensic reviews, investigating all recent logins and configuration changes for unauthorized activity.
– Gradually re-enable services while closely monitoring for unauthorized re-entry attempts.
– Enforce multi-factor authentication (MFA) on all administrative and remote access accounts.

These strategies can help organizations minimize risk, fortify remote access security, and enhance their resilience against evolving cyber threats.

The incident underscores the challenges posed by cloud-based configuration data, which can become a vulnerability across numerous enterprise networks. Even when encrypted, the centralized storage of sensitive credentials presents significant exposure risks, particularly if encryption is compromised or keys are leaked.

As noted by Huntress, the incident reflects a growing trend of “credential-driven” attacks, where adversaries prefer stealthy access methods over traditional brute-force techniques. This situation highlights the urgent need for organizations to implement robust security measures, including regular credential rotation and heightened visibility into authentication patterns.

With the ongoing threats to VPN and firewall systems, reliance on perimeter defenses is no longer sufficient. Instead, adopting a zero trust model—where continuous verification is enforced at every access point—has become essential for achieving true cyber resilience.