""Threat actors are authenticating into multiple accounts rapidly across compromised devices," it said. "The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing." A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted."
"The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. The breach, according to the latest update, affects all customers who have used SonicWall's cloud backup service. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," Arctic Wolf said."
Huntress reported rapid, widespread compromises of SonicWall SSL VPN devices allowing attackers to authenticate into multiple accounts across compromised appliances. Activity escalated beginning October 4, 2025, impacting over 100 SSL VPN accounts across 16 customer environments, with observed authentications originating from IP 202.155.8[.]73 in investigated cases. Some intrusions ended quickly without further activity, while others involved network scanning and attempts to access numerous local Windows accounts. SonicWall acknowledged unauthorized exposure of firewall configuration backups stored in MySonicWall cloud accounts, affecting all customers who used the cloud backup service. Arctic Wolf noted those files can contain sensitive credentials and settings. Huntress found no confirmed link between the exposure and the spike in compromises and advised resetting live device credentials.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]