SonicWall has warned customers to change their credentials as soon as possible. The reason is that a cyberattack affecting MySonicWall accounts resulted in the compromise of firewall configuration backup files.
SonicWall reports that after the incident was discovered, the attackers’ access to the company’s systems was blocked. The vendor is currently cooperating with cybersecurity agencies and law enforcement to investigate the consequences of the breach.
“As part of our commitment to transparency, we are notifying you of an incident that resulted in the compromise of firewall configuration backup files stored in certain MySonicWall accounts,” the company said. “Access to the compromised configuration files could significantly facilitate the exploitation of firewalls by attackers.”
The consequences of the incident could indeed be serious, since the leaked backups may give attackers access to credentials and tokens for any services running on SonicWall devices in victims’ networks.
SonicWall representatives have published detailed guidance to help administrators minimize the risk of the stolen configuration being exploited. In particular, they recommend rotating potentially compromised secrets and passwords as soon as possible and monitoring for signs of attacker activity.
“Please note that passwords, shared secrets, and encryption keys configured in SonicOS may also need to be changed elsewhere — for example, with your internet service provider, Dynamic DNS provider, email provider, remote IPsec VPN peer, or LDAP/RADIUS server — and these are just a few examples,” the company emphasizes.
SonicWall representatives told Bleeping Computer that the incident affected fewer than 5% of SonicWall firewalls and that the attackers focused brute-force attacks on the API service for cloud backups.
“Our investigation showed that less than 5% of our total firewalls had cloud-stored configuration backups that the attackers accessed. Although the files contained encrypted passwords, they also included information that could facilitate compromising the firewalls,” the company explained. “At this time, we are not aware of the attackers publishing these files publicly. This was not a ransomware incident or any similar attack on SonicWall. Rather, it was a series of brute-force attacks targeting individual accounts to obtain access to configuration files from backups for further use.”