SonicWall VPN attacks are spiking: here’s what to do this week
Attackers are hammering SonicWall VPN devices with stolen passwords and getting in fast. If your business uses one for remote access, there are five things.
By The Dragon Digital team ·
If your business uses a SonicWall firewall to let staff work from home, there’s active and coordinated attack activity targeting those devices right now.
Security researchers at Huntress tracked over 100 VPN accounts compromised across 16 organisations in just three days, with attackers getting in within hours of starting to scan. They’re using pre-compiled lists of usernames and passwords, likely bought or stolen from previous breaches, and trying them at scale until something sticks. The discussion on r/msp gives a detailed breakdown of what’s been observed.
Once they’re in, it gets serious quickly. A compromised VPN account puts an attacker directly inside your network, sitting behind your firewall and looking like a legitimate remote user. From there they can access files, steal credentials, and in some cases deploy ransomware. Huntress observed threat actors move from initial VPN access to network-wide encryption in under four hours.
What to do this week
If you have a SonicWall VPN, work through this list:
- Reset all passwords for every account that has VPN access. Use genuinely strong, unique passwords, not slight variations on existing ones.
- Enable multi-factor authentication on every VPN account if it isn’t already on. It raises the bar considerably.
- Restrict access by location where practical. If remote staff mostly connect from home or a fixed office, limiting access to those known locations blocks most opportunistic attacks.
- Update the firmware immediately. SonicWall’s guidance on recent threat activity confirms that version 7.3.0 includes improved brute-force protections. Older versions are more exposed.
- Check your service account permissions. The account your SonicWall uses to talk to the rest of your network shouldn’t have admin rights across the board. That’s handing attackers a master key if they get in. These attacks aren’t exploiting some exotic new flaw. They’re exploiting weak passwords, outdated firmware, and overly permissive account settings. The kinds of things that quietly drift out of shape when IT feels like something to deal with later.
Remote access is now front-line security for most businesses, whether you’re running a professional services firm in Ruthin, a manufacturer in Flint, or anything in between. Your VPN box deserves the same attention as your front door.
For businesses that aren’t sure whether their SonicWall is locked down properly, Dragon Digital handles hardened VPN configuration and access management for local companies across North Wales. A quick check now is a lot less painful than cleaning up after a breach.
Could your business use a hand with its IT?
We provide managed IT support, cyber security and more to businesses across North Wales.
Related guides
- Cybersecurity
Android Microsoft 365 apps needed urgent patching, is yours up to date?
A debug flag left on in six Microsoft 365 Android apps let other apps silently steal login tokens. The patch is out, here’s what to check.
- ComplianceCybersecurity
Windows domain controllers under active attack, is yours patched?
A critical Windows flaw is being actively exploited right now. The patch has been available for three weeks. Here’s what it means for your business and what.
- Cybersecurity
Lookalike domain scams: what your business needs to know
Attackers register near-identical misspellings of trusted company names to steal credentials. Standard email filters miss them. Here’s what actually helps.