Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SonicWall SSLVPN stolen-credentials campaign

Campaign
First reported
Last updated
Happening score
H score 53
1 unique sources, 1 articles

Summary

Hide ▲

A stolen-credentials campaign is hitting SonicWall SSLVPN accounts, with attackers gaining authenticated access to more than 100 accounts and then moving to post-login reconnaissance. The activity spans 16 environments, began on October 4, and was still active on October 10, showing sustained operation rather than a single burst. After login, the actors ran network scans and tried to access local Windows accounts, increasing the risk of lateral movement.

Related Happenings

SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)

Vulnerability
First: 21.05.2026 00:19 Last: 21.05.2026 00:19 Sources 1

About this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

2025 Rise in legitimate-access intrusions across enterprise sectors

Target Trend
First: 01.04.2026 17:05 Last: 01.04.2026 17:05 Sources 1

About this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...

Open Happening

Timeline

  1. 13.10.2025 18:58 1 articles · 7mo ago

    SonicWall SSLVPN authentication activity begins

    Exploitation Observed

    Threat actors began authenticating into multiple SonicWall SSLVPN accounts across compromised devices using stolen, valid credentials, then followed up with network scans and attempts to access local Windows accounts.

    Show sources
    Open in new tab
  2. 13.10.2025 18:58 2 articles · 7mo ago

    Campaign impact reaches 16 environments

    Victim Impact Update

    The SonicWall SSLVPN credential-abuse campaign affected over 100 accounts across 16 environments and was still active, indicating sustained compromise activity across the affected environments.

    Show sources
    Open in new tab
  3. 13.10.2025 18:58 1 articles · 7mo ago

    Researchers disclose stolen-credential campaign

    Initial Disclosure

    Researchers warned that threat actors used stolen, valid credentials to compromise more than 100 SonicWall SSLVPN accounts across 16 environments; Huntress said the activity did not appear linked to the recent SonicWall firewall configuration file breach and noted most malicious requests originated from 202.155.8[.]73.

    Show sources
    Open in new tab