A sophisticated cyberattack campaign targeted SonicWall SSL VPN devices, compromising over 100 accounts since early October 2023. Threat actors exploited valid, exposed credentials (rather than brute-force methods) to infiltrate systems, originating from a single IP (202.155.8.73), suggesting a centralized command structure. The breach escalated after SonicWall disclosed that unauthorized parties accessed encrypted firewall configuration backups—containing sensitive credentials—via its MySonicWall cloud service. While SonicWall initially claimed the breach affected under 5% of installations, the timing and precision of the attacks imply a direct link. Attackers conducted reconnaissance, scanned networks, and attempted to access local Windows accounts, posing risks of catastrophic data loss. SonicWall urged immediate mitigation: resetting all credentials (admin, VPN, LDAP, API), disabling remote services, enabling MFA, and enforcing strict access controls. The campaign’s scale and methodical execution highlight severe vulnerabilities in critical network infrastructure, with potential for widespread exploitation if unchecked.
Source: https://cyberpress.org/sonicwall-firewall-backup-breach/
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son1132511101325",
"linkid": "sonicwall",
"type": "Cyber Attack",
"date": "10/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '100+ (Across 16+ Customer '
'Environments)',
'industry': 'Network Security',
'location': 'Global',
'name': 'SonicWall (Primary Vendor)',
'type': 'Cybersecurity Company'},
{'industry': 'Various (Global)',
'location': 'Worldwide',
'name': 'SonicWall Customers (Multiple Organizations)',
'type': ['Enterprises',
'Government Agencies',
'SMBs']}],
'attack_vector': ['Exposed Credentials',
'SSL VPN Exploitation',
'Firewall Configuration Backup Leak'],
'customer_advisories': ['Check device status via MySonicWall.com',
'Follow immediate protection steps (credential '
'resets, service restrictions).'],
'data_breach': {'data_encryption': ['Backups Were Encrypted (But Credentials '
'Still Exposed)'],
'data_exfiltration': ['Potential (Unconfirmed but Likely '
'Given Reconnaissance Activity)'],
'file_types_exposed': ['Configuration Files', 'Backup Files'],
'sensitivity_of_data': 'High (Configuration Data + '
'Credentials)',
'type_of_data_compromised': ['Firewall Configuration Backups',
'Encrypted Credentials',
'Network Access Credentials']},
'date_detected': '2023-10-04',
'description': 'A coordinated wave of cyber intrusions has put organizations '
'worldwide on high alert after Huntress security researchers '
'discovered a rapid-fire attack campaign targeting SonicWall '
'SSL VPN devices. Over 100 accounts have been compromised '
'since early October, with attackers leveraging valid, exposed '
'credentials rather than brute-force methods. The campaign '
'originated from a single IP (202.155.8.73) and involved '
'rapid, surgical attacks, including reconnaissance, credential '
'validation, and network scans. The breach aligns with '
'SonicWall’s disclosure of unauthorized access to firewall '
'configuration backup files, raising concerns about widespread '
'exploitation potential.',
'impact': {'brand_reputation_impact': ['High (Due to Widespread Compromises '
'and Credential Exposure)'],
'data_compromised': ['Firewall Configuration Data',
'Credentials (Local Windows Accounts, VPN '
'Pre-Shared Keys, LDAP, SNMP, API Secrets)'],
'identity_theft_risk': ['High (If Credentials Are Abused)'],
'operational_impact': ['Network Scans',
'Unauthorized Access Attempts',
'Potential Lateral Movement'],
'systems_affected': ['SonicWall SSL VPN Devices',
'Compromised Customer Networks']},
'initial_access_broker': {'entry_point': ['SonicWall SSL VPN Devices',
'Exposed Credentials in Backup '
'Files'],
'high_value_targets': ['Firewall Configurations',
'Local Windows Accounts',
'Network Access'],
'reconnaissance_period': ['Brief Connections for '
'Credential Validation '
'(October 4 Onward)']},
'investigation_status': 'Ongoing (Huntress and SonicWall Collaborating on '
'Remediation)',
'lessons_learned': ['Exposed credentials in backup files create systemic risk '
'even if encrypted.',
'Rapid, coordinated attacks underscore the need for '
'real-time monitoring and credential hygiene.',
'Vendor disclosures must be transparent about scope to '
'prevent underestimation of threats.',
'MFA and least-privilege access are critical for '
'mitigating VPN-based intrusions.'],
'motivation': ['Espionage', 'Data Theft', 'Potential Follow-on Attacks'],
'post_incident_analysis': {'corrective_actions': ['SonicWall: Secure backup '
'files by '
'redacting/encrypting '
'credentials separately.',
'Customers: Implement '
'zero-trust principles '
'(MFA, least privilege, '
'segmentation).',
'Enhance logging and '
'anomaly detection for '
'VPN/authentication '
'systems.',
'Regular credential '
'rotation and audits for '
'network devices.'],
'root_causes': ['Exposure of credentials in '
'firewall backup files (despite '
'encryption).',
'Lack of MFA enforcement for '
'VPN/admin access.',
'Insufficient monitoring for '
'clustered authentication '
'attempts.',
'Delayed or incomplete vendor '
'disclosure about breach scope.']},
'recommendations': ['Immediately reset all credentials linked to SonicWall '
'devices (VPN, admin, API, etc.).',
'Enable MFA for all administrative and remote access '
'accounts.',
'Restrict WAN management access and disable unnecessary '
'services (HTTP/S, SSH).',
'Audit firewall configurations for unauthorized changes '
'or backdoors.',
'Monitor for lateral movement or follow-on attacks using '
'compromised credentials.',
'Isolate affected devices until fully remediated.',
'Conduct a thorough review of backup security practices '
'(e.g., encryption of sensitive fields).',
'Engage third-party security firms for incident response '
'and forensic analysis.'],
'references': [{'source': 'Huntress Security Research'},
{'source': 'SonicWall Advisory (MySonicWall.com)',
'url': 'https://www.mysonicwall.com'}],
'response': {'communication_strategy': ['SonicWall Advisory via '
'MySonicWall.com',
'Urgent Customer Notifications',
'Collaboration with Security Partners '
'(e.g., Huntress)'],
'containment_measures': ['Restrict WAN Management Access',
'Disable HTTP/S, SSH, and SSL VPN '
'Services',
'Reset All Credentials (Local Admin, '
'VPN Keys, LDAP, SNMP, API Secrets)',
'Enable Enhanced Logging'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['Continuous Monitoring',
'Configuration Audits'],
'remediation_measures': ['Gradual Service Restoration '
'Post-Credential Reset',
'Enforce Multi-Factor Authentication '
'(MFA) for All Admin/Remote Users',
'Limit Management Privileges',
'Monitor for Suspicious '
'Logins/Configuration Changes'],
'third_party_assistance': ['Huntress Security Researchers']},
'stakeholder_advisories': ['SonicWall Urgent Customer Advisory',
'Huntress Threat Briefing for Partners'],
'title': 'Coordinated Cyber Intrusions Targeting SonicWall SSL VPN Devices',
'type': ['Unauthorized Access',
'Credential Stuffing',
'Reconnaissance',
'Potential Data Exfiltration'],
'vulnerability_exploited': ['SonicWall SSL VPN Vulnerability (Credentials in '
'Backup Files)',
'Weak or Reused Credentials']}