All SonicWall Cloud Backup users were impacted after hackers stole firewall configuration files from the MySonicWall service in early September.
Threat actors stole firewall configuration backups from SonicWall’s cloud service, impacting all users of its MySonicWall cloud backup platform.
In September, SonicWall urged customers to reset credentials after firewall backup files tied to MySonicWall accounts were exposed. The company announced it had blocked attackers’ access and is working with cybersecurity experts and law enforcement agencies to determine the scope of the breach.
SonicWall initially said that under 5% of customers were impacted, no files leaked, but the breach still poses risks that need urgent action.
The incident impacted SonicWall Firewalls with preference files backed up in MySonicWall.com
SonicWall urged customers to log into their MySonicWall accounts and check if cloud backups are enabled. If not, there’s no risk. If yes, look for any flagged serial numbers, these indicate affected firewalls that need immediate remediation. If you’ve used backups but see no flagged devices, SonicWall will share further guidance soon.
The company told affected customers to import new preference files. However, importing the new file disrupts IPSec VPNs, TOTP bindings, and user access. After import, users must reconfigure VPN pre-shared keys and reset TOTP along with user passwords. To reduce downtime, SonicWall recommends importing during maintenance windows, off-hours, or low-activity periods since the process reboots the firewall immediately.
On October 8, SonicWall confirmed that threat actors accessed the preference files of all firewalls using its MySonicWall cloud backup service.
SonicWall said the stolen files contain encrypted credentials and configs, which could aid attacks. They are notifying affected users and providing assessment tools. Updated device lists now classify impacted firewalls by priority to guide remediation.
“SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident. The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service.” reads a new update published by the company post investigation.
“The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks. We are working to notify all impacted partners and customers and have released tools to assist with device assessment and remediation. Updated and comprehensive final lists of impacted devices are now available in the MySonicWall portal (Navigate to the Product Management > Issue List). To help prioritize remediation efforts, the lists include a field that identifies each device as either 1) “Active – High Priority” (devices with internet-facing services enabled); 2) “Active – Lower Priority” (devices without internet-facing services); or 3) “Inactive” (devices that have not pinged home for 90 days).”
SonicWall urges users to check their devices and says it has strengthened security, working with Mandiant to improve cloud infrastructure and monitoring.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
