Full Report
Researchers warn that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign using stolen, valid credentials. [...]
Analysis Summary
# Incident Report: Widespread SonicWall VPN Compromise via Credential Stuffing
## Executive Summary
A large-scale cyber campaign was detected involving the compromise of over a hundred SonicWall SSLVPN accounts across multiple organizations, primarily starting around October 4, 2025. Attackers leveraged valid, stolen credentials to gain initial access, subsequently attempting reconnaissance and lateral movement against internal Windows systems. Response necessitated immediate credential rotation and temporary restriction of remote access services.
## Incident Details
- Discovery Date: On or shortly after October 4, 2025 (Observed by Huntress)
- Incident Date: Attacks observed beginning around October 4, 2025
- Affected Organization: Over 100 SonicWall SSLVPN accounts across 16 environments monitored by Huntress
- Sector: Not explicitly disclosed (Implied various organizations using SonicWall devices)
- Geography: Not explicitly disclosed (Implied global reach based on widespread compromise)
## Timeline of Events
### Initial Access
- Date/Time: Beginning approximately October 4, 2025
- Vector: Valid, stolen credentials used in mass authentication attempts against SonicWall SSLVPNs.
- Details: Threat actors rapidly authenticated into multiple accounts, suggesting control over pre-existing credentials rather than brute-forcing. Malicious requests frequently originated from IP address 202.155.8[.]73.
### Lateral Movement
- Details: After successful VPN login, attackers engaged in reconnaissance by attempting to access a large number of local Windows accounts within the compromised networks.
### Data Exfiltration/Impact
- Details: The scope of data exfiltration is not detailed, but the access gained presents a risk of internal data theft and persistent network compromise.
### Detection & Response
- Detection: Detected by Huntress monitoring client environments showing suspicious, rapid login activity indicative of account compromise.
- Response: Security recommendations included resetting all local user passwords, updating LDAP/RADIUS secrets, invalidating various interface passwords, and disabling/limiting remote access services until remediation was complete.
## Attack Methodology
- Initial Access: Use of stolen, valid credentials for mass authentication against SonicWall SSLVPN service (Credential Stuffing/Validation).
- Persistence: Not explicitly detailed, but lateral movement attempts suggest goals beyond simple access.
- Privilege Escalation: Attackers attempted to access local Windows accounts, suggesting an effort to elevate privileges post-VPN access.
- Defense Evasion: Not explicitly detailed, but automated, high-volume access suggests evasion techniques may have been employed depending on the enforcement controls.
- Credential Access: Not applicable in the initial step, as credentials were pre-stolen.
- Discovery: Attempted access to local Windows accounts post-authentication indicates internal reconnaissance.
- Lateral Movement: Attempting to access local Windows accounts to move deeper into the network.
- Collection: Implied goal of data collection based on subsequent movements.
- Exfiltration: Not explicitly detailed in the observed activity logs.
- Impact: Network access, reconnaissance, and prerequisite steps for deep compromise.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential access to sensitive corporate data due to deep network infiltration capability.
- Operational: Required immediate administrative action (password resets, service restrictions), potentially causing operational slowdowns.
- Reputational: Negative impact due to widespread security failure (SonicWall VPN compromise).
## Indicators of Compromise
- Network Indicators: Malicious login source IP: 202.155.8[.]73 (Defanged)
- File Indicators: Not specified.
- Behavioral Indicators: Rapid, high-volume authentication attempts against SonicWall SSLVPN endpoints. Post-authentication scanning and enumeration of local Windows accounts.
## Response Actions
- Containment: Immediate password resets for all affected accounts, updating secrets on LDAP, RADIUS, and IPSec policies. Restricting WAN management and remote access (HTTP, HTTPS, SSH, SSL VPN) temporarily.
- Eradication: Revocation of external API keys, dynamic DNS, SMTP/FTP credentials, and automation secrets related to the firewall/management systems.
- Recovery: Staged reintroduction of services after all secrets and passwords have been robustly rotated and validated.
## Lessons Learned
- Compromise of valid credentials remains a primary threat, justifying robust Multi-Factor Authentication (MFA) deployment on all remote access points.
- The scale and speed of the attacks indicate reliance on readily available credential lists.
- Configuration secrets stored on security appliances like SonicWall require mandatory, frequent rotation.
## Recommendations
- Enforce Multi-Factor Authentication (MFA) on all administrative and remote access accounts, especially VPN/SSLVPN services.
- Immediately restrict or disable WAN management interfaces when not actively required.
- Implement a mandatory, periodic rotation schedule for all local user passwords, server access codes (LDAP/RADIUS), and configuration secrets embedded in firewall policies.
- Perform security validation scans against VPN endpoints following any major patch or configuration change.