Sonic(Sea)Wall VPNs Under Stormy Seas

A tidal wave has hit SonicWall’s defenses. Threat actors are breaching SonicWall SSL VPN devices by logging in with valid or stolen credentials rather than brute force, compromising more than 100 VPN accounts across roughly 16 customer environments. These intrusions are likely tied to exposed MySonicWall cloud backups containing sensitive configuration files — including VPN keys, admin credentials, certificates, and API tokens. The ongoing campaign, first observed on October 4, shows attackers rapidly authenticating into multiple environments, scanning networks, and probing systems for lateral movement.

Phase 1: The Rising Tide

The attack wave began with legitimate authentication events — a hallmark of credential compromise rather than direct exploitation. The speed and scale suggested automated access using previously obtained credentials, possibly harvested from exposed MySonicWall configuration backups. Those backups, recently confirmed as exposed in a separate security incident, stored detailed firewall configuration data that can reveal internal architecture, DNS and logging settings, user permissions, and certificates. With this information, threat actors can seamlessly blend into trusted network traffic.

Phase 2: Cracks in the Wall

Once inside, the attackers behaved inconsistently. In some cases, they logged out quickly, suggesting reconnaissance or access validation. In others, they conducted deep network scans and attempted to authenticate against local Windows accounts. The most concerning element was their access to firewall configuration backups, which provide the blueprint of a network: VPN keys, admin passwords, certificates, and domain settings. With these assets, attackers can escalate privileges, move laterally, and even impersonate trusted systems.

Although Huntress found no definitive link, the timing and overlap with the MySonicWall backup exposure strongly suggest a shared cause. If both incidents intersect, the backup leak may have become the open floodgate through which the attackers gained entry.

Phase 3: Rogue Waves

Evidence of continued exploitation emerged throughout October. Attackers used valid credentials from multiple geographic sources to authenticate into SonicWall SSL VPNs, then initiated network scanning and privilege escalation activities. Some compromised devices exhibited signs of exploitation linked to CVE-2024-40766, a SonicWall vulnerability previously leveraged by Akira ransomware actors for initial access.

This overlap signals that ransomware operators — particularly those behind Akira — may be co-opting compromised VPNs for network footholds. By combining credential theft, configuration exposure, and unpatched vulnerabilities, attackers are constructing a layered intrusion chain capable of both espionage and extortion.

Phase 4: Fortifying the Wall

The breaches underscore the importance of immediate containment and long-term defense. Organizations using SonicWall devices or MySonicWall’s cloud backup service should act without delay:

• Reset and rotate all VPN and firewall credentials.

• Revoke exposed API keys and tokens associated with management systems.

• Restrict WAN and remote management interfaces to trusted networks only.

• Enforce multi-factor authentication for all administrative and remote accounts.

• Patch all SonicWall devices, prioritizing fixes for CVE-2024-40766 and related flaws.

• Audit and sanitize all cloud backups to prevent exposure of configuration files.

• Monitor authentication logs for unusual login patterns or IP origins.

• Enable EDR detections focused on credential misuse, tunneling, and lateral movement.

The SonicWall incident illustrates a growing trend: attackers exploiting not just software vulnerabilities but also the very tools meant to manage and secure infrastructure. By compromising backups, credentials, and device configurations, they gain persistence without immediate detection.

Organizations relying on SonicWall technology must assume compromise if credentials or backups were stored in the cloud and take decisive steps to harden systems, revoke access, and restore trust in their network perimeters before the next wave arrives.

The Hacker News

https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html?m=1