Cybersecurity vendor SonicWall has disclosed a security incident affecting its cloud backup service for firewalls.
An investigation found that threat actors successfully accessed firewall preference files stored in the cloud for around 5% of SonicWall’s firewall install base.
The company warned that while the credentials within the files are encrypted, other information is included that could enable attackers to exploit the related firewall in the future. This includes the firewall’s serial number.
“We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” SonicWall noted in the advisory published on September 17, and updated on September 18.
To check if they have been impacted by the attack, all SonicWall firewall customers should login to MySonicWall.com and verify if cloud backups are enabled for their products.
If they are, they need to check whether any of their firewall serial numbers are among the information compromised.
“If yes, the listed firewalls are at risk and should follow the containment and remediation guidelines,” SonicWall stated.
Customers whose serial numbers are not included have been told to regularly check the incident page for any additional updates.
Impacted Customers Urged to Take Immediate Action
Due to the sensitivity of the configuration files, impacted customers have been urged to take immediate containment and remediation steps.
They should firstly disable or restrict access to services from WAN before moving onto remediation actions.
For remediation, SonicWall has set out a structured checklist to ensure all relevant passwords, keys and secrets are updated consistently, with critical items listed first.
“Please note that the passwords, shared secrets and encryption keys configured in SonicOS may also need to be updated elsewhere, such as with the ISP, Dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP/RADIUS server, just to name a few. Failure to do so can cause Internet and/or VPN outages or disruption to certain services such as authentication, log/alert forwarding, etc,” the firm warned.
Logs should also be reviewed for recent configuration changes in firewalls or unusual activity.
Additionally, impacted customers will receive a new preferences file to import onto their firewall. This file randomizes passwords for all local users, randomizes IPSec VPN keys and resets the binding for time-based one-time password (TOTP) if enabled.
The latest incident follows a number of attacks targeting SonicWall products in recent months. The firm recently published an advisory revealing that threat actors were actively exploiting a critical vulnerability in the SonicWall SonicOS management access and SSLVPN.
In August, Arctic Wolf researchers said it had detected multiple pre-ransomware intrusions in SonicWall SSL VPNs, indicating a possible zero day vulnerability.