Researchers at Huntress observe rapid SonicWall SSL VPN logins across multiple customers. Moreover, analysts link many authentications to 202.155.8[.]73, which consolidates activity into a coordinated pattern rather than random probing. Consequently, the campaign shows credential possession, not brute-force behavior, and it expands through account reuse across environments.
Speed, Scale, and Valid Credentials
Huntress reports impact across more than 100 accounts in 16 customers, and the surge begins October 4, 2025. Furthermore, investigators spot bursts of rapid authentications, which align with scripted session establishment rather than manual operator trials. Therefore, the evidence points to previously stolen usernames, passwords, and possibly OTP seeds rather than vulnerability exploitation on the appliance itself.
Additionally, multiple third-party observers document SonicWall remote access abuse in recent months, often adjacent to Akira activity. Because those intrusions sometimes bypass MFA, analysts suspect seed theft or token replay from prior incidents against end-of-life or migrated platforms. Consequently, administrators cannot trust MFA alone when seed compromise remains plausible.
Why This Wave Lands Now
Recently, SonicWall disclosed that all cloud backup users had firewall configuration backups accessed via MySonicWall. Although those backups remain encrypted, those files still include policy names, network objects, and integration details that can sharpen targeting. Therefore, attackers who already hold credentials can plan lateral movement with far greater precision. Consequently, this disclosure increases the urgency of credential rotation and object review after account resets.
Meanwhile, security firms continue to report SonicWall SSL VPN abuse tied to Akira and related actors, often through misconfiguration, legacy migrations, or CVE-2024-40766 exposure where customers delayed resets or carried passwords forward. Therefore, the present account compromises fit a credential-centric playbook that thrives on operational gap
How Attackers Operate From Login to Network Reach
Attackers authenticate through SSL VPN and pivot into internal services quickly. Moreover, they validate reachability, enumerate directory access, and test shares to identify soft privilege boundaries. Because the login appears legitimate, perimeter systems record a valid session rather than an exploit error. Consequently, detection relies on context: unusual geolocation, atypical timing, unfamiliar ASN, or a surge in concurrent sessions from the same IP range. Therefore, defenders need behavioral analytics rather than signature matches for this wave.
First, teams should invalidate every SSL VPN secret that touches SonicWall access, including passwords, API keys, and OTP seeds, and they should force device re-enrollment for MFA wherever feasible. Second, teams should implement geo-fencing and IP allowlists around the SSL VPN gateway while investigation proceeds. Third, teams should mine authentication logs for connections from 202.155.8[.]73 and adjacent ranges, and they should flag session bursts that deviate from baseline. Because attackers lean on valid sessions, those controls cut opportunity rapidly.
Additionally, teams should align with vendor guidance and community reporting. SonicWall notes strong correlation with CVE-2024-40766 and migration residues in earlier waves; therefore, organizations should confirm patch levels, rotate credentials post-migration, and purge legacy objects that carry forward unintended access. Meanwhile, firms like Arctic Wolf document fast ransomware follow-on after SSL VPN logins; therefore, analysts should hunt for pre-ransomware staging within hours of any suspicious session.
The Remote Edge as Primary Battleground
Modern intrusion chains now start with remote access identity, not exploit chains alone. Because adversaries collect creds through phish, infostealers, partner breaches, and cloud leaks, they return to the edge with perfectly valid logins. Consequently, edge policies must treat every remote session as conditionally risky. Therefore, organizations should require per-session risk signals, continuous device posture, and step-up authentication on sensitive paths. Moreover, teams should decouple trust from single factors and push toward identity-aware segmentation that narrows blast radius even after a successful login.
This wave shows that credentials equal compromise when controls lag. Because threat actors now script SonicWall SSL VPN sessions at scale, defenders need revoked secrets, tight network boundaries, live analytics, and vendor-aligned patching in the same week, not the next quarter. Therefore, teams should treat every anomalous session as a pivot in progress and rebuild trust from the edge inward until telemetry proves otherwise.
FAQs
Q1. What exactly got compromised?
Attackers authenticated to SonicWall SSL VPN accounts across many customers, and they used valid credentials rather than brute force. Consequently, those sessions looked legitimate in logs.
Q2. How did attackers obtain the credentials?
Researchers see evidence of credential reuse, info-stealer logs, and OTP seed theft from prior incidents against related platforms. Therefore, MFA alone may not block these logins.
Q3. Does this relate to the recent SonicWall backup incident?
The cloud backup exposure did not hand over passwords directly; however, it likely improved targeting by revealing policy and object context. Therefore, teams should rotate all secrets anyway.
Q4. Should I disable SSL VPN?
You should restrict by IP, force credential resets, re-issue MFA seeds, and hunt for abnormal sessions first. Moreover, you should consider temporary disablement if risk remains high.
Q5. What should I check in logs today?
You should search for 202.155.8[.]73, sudden geo shifts, out-of-hours bursts, and multiple tenant logins from the same ASN. Therefore, you should treat any match as active risk.
