SonicWall disclosed Wednesday that an unauthorized person had accessed the firewall configuration backup files of all customers using its cloud backup service.
“The files contain encrypted credentials and configuration data. While encryption is maintained, possession of these files may increase the risk of targeted attacks,” the company said.
It also said it is working to notify all partners and customers, adding that it has released tools to help assess and remediate devices. The company is also asking users to log in and verify their devices.
This development comes weeks after SonicWall urged customers to perform a credential reset after a security breach affecting MySonicWall accounts exposed firewall configuration backup files.
The list of affected devices available on the MySonicWall portal is assigned a priority level to help customers prioritize remediation efforts. The label is –
- Active – High Priority: Devices with Internet Connectivity Services enabled
- Active – Low Priority: Devices with no internet-connected services
- Inactive: Devices that have not pinged home in 90 days
The latest post-mortem indicates a near reversal from the initial assessment, which claimed threat actors had accessed backup firewall configuration files stored in the cloud for less than 5% of customers. It also said that although the credentials in these files are encrypted, they also contain “information that could make it easier for an attacker to exploit associated firewalls.”
It’s currently unclear how many of the company’s customers are using its cloud backup service. SonicWall has not yet disclosed when the attack began or who is behind the activity. However, the company said it has since “hardened” its infrastructure, applied additional logging and introduced stronger authentication controls to prevent it from happening again.
Users are advised to immediately follow the steps below.
- Log in to your MySonicWall.com account and check if a cloud backup exists for your registered firewall.
- If the field is blank, it has no effect
- If the field contains backup details, check to see if the affected serial number is listed in your account
- If a serial number is displayed, users should follow the firewall containment and remediation guidelines listed.
SonicWall said it will provide additional guidance in the coming days if customers are using the cloud backup feature and are not seeing a serial number or only seeing a portion of their registered serial number.
“A brute force attack against the company’s cloud backup API service gave threat actors access to a treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations, and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told The Hacker News. “This begs the question of why vendors have not implemented basic protections such as rate limiting and stronger controls on public APIs.”
“Although the password was encrypted, an attacker can decrypt it offline at any time they wish. If the password used was weak in the first place, it is almost certain that the threat actor already has a cleartext version. Even if the threat actor cannot decrypt the password, the problem remains, as the leaked information can be useful for more complex targeted attacks.”
