Huntress’ new discovery, nonetheless, factors to a separate, credential-driven marketing campaign. Beginning round October 4, Huntress noticed mass logins into SonicWall SSLVPN units from attacker-controlled IPs – one notably traced to 202.155.8[.]73. Many login periods had been temporary, however others concerned deeper community reconnaissance and makes an attempt to entry inner Home windows accounts, suggesting lateral motion makes an attempt.
“We now have no proof to hyperlink this (SonicWall’s) advisory to the current spike in compromises that we’ve got seen,” Huntress famous, including that “none could exist permitting us to discern that exercise from our vantage level.”
Even when menace actors had been capable of decode the compromised recordsdata from the September breach, they might see the credentials in encrypted varieties, SonicWall advisory had famous. In different phrases, whoever’s logging into SonicWall units proper now in all probability didn’t get their keys from these backup recordsdata.
