Massive SonicWall SSL VPN compromise underway

More than 100 SonicWall SSL VPN accounts across 16 customer environments have been breached in attacks since Oct. 4, according to Security Affairs. Numerous accounts were accessed via the IP address 202.155.8[.]73, with some threat actors conducting reconnaissance efforts, a report from Huntress revealed. "The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing," said Huntress researchers. Such a development comes just days after all SonicWall firewalls with the firm's MySonicWall cloud backup service were confirmed to have had their preference files, including encrypted credentials and configurations, compromised. Akira ransomware was also reported by Darktrace to have been distributed in intrusions leveraging the SonicWall SSL VPN vulnerability, tracked as CVE-2024-40766, beginning in July. "In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities," said DarkTrace.