SonicWall Urges Password Reset Following Security Breach
▼ Summary
– SonicWall warned customers to reset credentials after firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.
– The exposed files contain information that could make firewall exploitation significantly easier for threat actors, potentially giving access to sensitive data like credentials and tokens.
– SonicWall has provided detailed guidance for administrators to reset all credentials, API keys, and authentication tokens, and to update related services like ISPs or VPN peers.
– The incident affected fewer than 5% of SonicWall firewalls and resulted from brute-force attacks targeting the cloud backup API service, not a ransomware event.
– This breach follows recent exploitation of a critical SonicOS vulnerability (CVE-2024-40766) by threat actors like the Akira ransomware gang, which SonicWall had previously addressed.
SonicWall has issued an urgent advisory for customers to reset their passwords following a security incident that exposed firewall configuration backup files stored in certain MySonicWall accounts. The company detected unauthorized access to its systems and has since blocked the attackers, working closely with cybersecurity experts and law enforcement to assess the full scope of the breach.
According to SonicWall, the compromised backup files contain sensitive data that could significantly ease exploitation efforts by threat actors. These files may include credentials, tokens, and other critical information tied to services running on SonicWall devices within customer networks. While the company emphasized that fewer than 5% of firewalls were affected, the potential impact remains serious.
To help organizations respond effectively, SonicWall has released detailed guidance for administrators. The recommendations include disabling or restricting WAN access to services before resetting credentials, and systematically updating all passwords, API keys, and authentication tokens used by users, VPN accounts, and connected services. A full checklist is available in the company’s support bulletin.
SonicWall clarified that this was not a ransomware event, but rather a series of targeted brute-force attacks aimed at accessing cloud backup files via an API service. The company stated that, at this time, there is no evidence these files have been leaked online. Still, the risk of exposure necessitates prompt action to reconfigure all potentially affected secrets.
This incident follows recent concerns around SonicWall device vulnerabilities. In August, the company refuted claims that the Akira ransomware group was exploiting a zero-day in Gen 7 firewalls, attributing attacks instead to CVE-2024-40766, a critical SSLVPN flaw patched in November. Last week, the Australian Cyber Security Centre and Rapid7 confirmed that Akira is actively leveraging this vulnerability to target unpatched systems.
SonicWall continues to advise customers to review their security posture, apply available patches, and follow credential reset protocols to safeguard their network environments.
(Source: Bleeping Computer)
