Huntress’ new discovery, however, points to a separate, credential-driven campaign. Starting around October 4, Huntress observed mass logins into SonicWall SSLVPN devices from attacker-controlled IPs – one notably traced to 202.155.8[.]73. Many login sessions were brief, but others involved deeper network reconnaissance and attempts to access internal Windows accounts, suggesting lateral movement attempts.
“We have no evidence to link this (SonicWall’s) advisory to the recent spike in compromises that we have seen,” Huntress noted, adding that “none may exist allowing us to discern that activity from our vantage point.”
Even if threat actors were able to decode the compromised files from the September breach, they would see the credentials in encrypted forms, SonicWall advisory had noted. In other words, whoever’s logging into SonicWall devices right now probably didn’t get their keys from those backup files.
