Huntress’ new discovery, nonetheless, factors to a separate, credential-driven marketing campaign. Beginning round October 4, Huntress noticed mass logins into SonicWall SSLVPN units from attacker-controlled IPs – one notably traced to 202.155.8[.]73. Many login classes had been transient, however others concerned deeper community reconnaissance and makes an attempt to entry inside Home windows accounts, suggesting lateral motion makes an attempt.
“We have now no proof to hyperlink this (SonicWall’s) advisory to the current spike in compromises that we now have seen,” Huntress famous, including that “none might exist permitting us to discern that exercise from our vantage level.”
Even when risk actors had been capable of decode the compromised information from the September breach, they’d see the credentials in encrypted kinds, SonicWall advisory had famous. In different phrases, whoever’s logging into SonicWall units proper now in all probability didn’t get their keys from these backup information.
