What defenders should watch out for: Huntress highlighted that, in a few cases, successful SSLVPN authentication was followed by internal reconnaissance traffic or access attempts to Windows administrative accounts. Additionally, logins originating from a single recurring public IP may suggest a coordinated campaign rather than random credential reuse.On top of the steps outlined in SonicWall’s advisory, Huntress’ blog offered additional defensive actions for organizations using SonicWall devices. It urged administrators to restrict remote management interfaces, reset all credentials and secrets, review SSLVPN logs for signs of unusual authentications, and enable multi-factor authentication (MFA) wherever possible. SonicWall gear has remained a recurring target for threat groups, with recent attacks abusing improperly patched firewalls. The Akira ransomware gang exploited known access control flaws (CVE-2024-40766) in SonicWall appliances. Earlier in the year, customers were also warned of critical authentication bypass and rootkit-style backdoors targeting SonicWall appliances.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4072194/sonicwall-vpns-face-a-breach-of-their-own-after-the-september-cloud-backup-fallout.html
