It has been discovered that SonicWall SSL VPN devices have been widely compromised, and that attackers have employed legitimate credentials to gain access to multiple environments. On October 4, 2025, the activity started, impacting more than 100 VPN accounts from different companies. Threat actors attempted to gain access to local Windows accounts and performed network scanning as part of post-exploitation activities in a few of instances. In addition, a security breach involving SonicWall’s cloud backup service led to illegal access to firewall configuration files that contained private network data and encrypted login credentials. The exposure raises the possibility of targeted attacks. It is advised that all passwords be reset, exposed secrets be revoked, remote access be restricted, available patches be applied, and multi-factor authentication be enabled immediately.

Technical Description

On October 4, 2025, a coordinated attack wave targeting SonicWall SSL VPN devices launched using legitimate credentials to access more than 100 accounts across 16 businesses. Using the well-known IP 202.155.8[.]73, the attackers used a variety of strategies, ranging from quick logins to active post-exploitation actions including network scanning and local account probing. The potential of targeted assaults is increased by the fact that this behavior occurs concurrently with another breach that exposed encrypted firewall configuration files through SonicWall’s MySonicWall cloud backup service. Additionally, the instances have been linked to more general exploitation patterns, such as Akira ransomware operations that take advantage of vulnerabilities like CVE-2024-40766. The tactics used by adversaries were in line with MITRE ATT&CK, with a focus on lateral movement and credential misuse.

Discovery & Scope:

The discovery of coordinated and unusual authentication activities across several customer scenarios led to the identification of the SonicWall SSL VPN devices breach. A sharp increase in successful logins from various businesses, all employing SonicWall SSL VPN portals and exhibiting indications of centralized management, such as repeated access attempts from the same external IP address (202.155.8[.]73), were indicative of the discovery. Investigation revealed the breach of more than 100 VPN accounts from 16 different firms. Additional investigation revealed that while some of these settings basically witnessed quick logins with no immediate follow-up activity, others displayed indications of more extensive intrusion efforts, pointing to a tiered or staged approach that targets environments according to opportunity or predetermined goals.

Attribution & Operator Profile:

The strategies and techniques utilized are similar to those utilized in current Akira ransomware operations, even though no particular threat organization has been identified with certainty. High levels of operational discipline and expertise with SonicWall infrastructure were displayed by the attackers. Their actions are consistent with established MITRE ATT&CK tactics, especially those pertaining to lateral movement and credential access, indicating a highly qualified and resourced operator who can carry out coordinated, multi-stage attacks.

‍

Initial Access & Reconnaissance:

• Attackers authenticated successfully to SonicWall SSL VPN portals using compromised credentials, enabling immediate remote access.
• Harvested credentials plausibly originated from exposed MySonicWall configuration backups, prior data breaches, or credential theft (phishing/credential stuffing on other services).
• A high volume of authentications were observed coming from the same external IP (202.155.8[.]73), indicating centralized orchestration or a staged access server.
• By using legitimate logins and native protocols, attackers avoided noisy exploit activity and reduced the chance of triggering brute-force or exploit-based alarms.
• Initial sessions often proceeded to lightweight discovery (network scanning, host enumeration, Windows account probing) using living-off-the-land techniques, positioning attackers for lateral movement or follow-on actions.

‍

Exploitation & Toolset:

During the exploitation phase, access gained, and the targeted environments were taken over through the use of various known vulnerabilities and exposed credentials in SonicWall SSL VPN appliances. The attackers took advantage of credentials that were made public and potentially data that was taken from backups of the firewall configuration that were compromised and contained network data and encrypted secrets. It’s also possible that known vulnerabilities, such CVE-2024-40766, were used to get around security measures. In order to prevent detection and preserve stealth during initial operations, the toolset seems to be minimal at the point of access, concentrating on credential abuse and native system utilities for scanning and enumeration.

Collection & Exfiltration:

There is proof that the attackers tried using system probing and network scanning to gather data in some scenarios. The extent of data exfiltration is still unknown, though. Data collection was part of the larger goal, as evidenced by actions associated with preparation for data theft or ransomware deployment, even if no widespread exfiltration tools or activity were found in every case.

‍

Conclusion:

The SonicWall SSL VPN breach exposes a sophisticated assault that uses legitimate credentials and publicly available firewall backup data to obtain unauthorized access and carry out covert network surveillance, greatly raising the possibility of ransomware deployment and deeper incursions. Strong credential management, stringent access controls, and prompt patching of known vulnerabilities are all critically needed, as this incident has shown. In response, SonicWall released security advisories advising users to improve logging and monitoring to quickly identify suspicious activity, revoke and rotate exposed API keys and secrets, restrict remote access and WAN management interfaces, enforce multi-factor authentication on all admin and remote accounts, apply critical security patches, and reset all device credentials right away. The goals of these concerted measures are to stop additional exploitation of SonicWall infrastructure, safeguard impacted environments and contain the breach.

‍

Impact

Multiple businesses are now at risk of data theft, disruption of operations, and possible ransomware deployment as a result of the attacks. The risk is increased when firewall configuration backups are made public since they may expose user passwords, internal architecture, and service configurations. A greatly expanded attack surface and possible long-term persistence in impacted locations are the combined results, necessitating immediate containment, cleanup, and strategic security enhancements.

IOC and Context Details

Recommended Actions

• Immediately limit or block WAN management and remote access wherever feasible.
• Temporarily disable or restrict HTTP, HTTPS, SSH, SSL VPN, and inbound management services until all credentials have been securely reset.
• Perform a comprehensive reset of all passwords, keys, and secrets on impacted devices, including local administrator accounts, VPN pre-shared keys, LDAP/RADIUS/TACACS+ bind credentials, wireless PSKs, and SNMP credentials.
• Revoke and regenerate any external API keys, dynamic DNS entries, SMTP/FTP credentials, and other automation secrets connected to firewall or management systems.
• Enhance logging configurations and conduct thorough reviews of recent login attempts and configuration modifications to identify suspicious behavior, ensuring forensic logs are preserved throughout the investigation.
• Gradually restore services one by one after credential resets, continuously monitoring for any signs of unauthorized access.
• Implement multi-factor authentication (MFA) on all administrative and remote user accounts and enforce the principle of least privilege for all management roles.

‍

References

https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html