SonicWall Confirms Firewall Backup Files Breached in Cyberattack
▼ Summary
– SonicWall experienced a brute-force attack on its cloud backup service, compromising backup files for fewer than 5% of its firewall installations.
– The accessed files contain encrypted credentials but include configuration details that could aid attackers in exploiting related firewalls.
– SonicWall has provided remediation guidelines and new preference files with randomized passwords and keys for affected customers to import.
– The company disabled the backup feature, secured systems, and engaged a third-party firm to validate their investigation and findings.
– Impacted customers are advised to follow detailed steps during maintenance windows, as importing new configurations causes immediate firewall reboots.
SonicWall has confirmed a significant security incident involving unauthorized access to its cloud backup service for firewalls. The breach, resulting from a series of brute-force attacks, exposed backup preference files containing sensitive configuration data for a portion of the company’s firewall installations. While the accessed files did not include unencrypted credentials, they contained information that could aid threat actors in targeting related firewalls.
The compromised backup files hold comprehensive firewall configurations, including system and device settings, network and routing rules, security service configurations, VPN policies, and user account details. SonicWall emphasized that this was not a ransomware event but a targeted effort to obtain configuration data for potential future exploitation.
Affected customers, representing fewer than five percent of SonicWall’s firewall user base, are urged to log into the MySonicWall portal to determine whether cloud backups were enabled for their devices. Those with backups active must follow detailed containment and remediation steps provided by the company.
To assist users, SonicWall has generated new preference files based on the latest backups stored in the cloud. These updated files include randomized local user passwords, reset IPSec VPN keys, and cleared TOTP bindings where applicable. Importing these revised configurations will trigger an immediate firewall reboot, so the company advises scheduling this process during maintenance windows or periods of low network activity.
Restoring full functionality may require manual reconfiguration of IPSec VPN pre-shared keys and user TOTP settings. Organizations with multiple firewalls should anticipate a time-intensive remediation process.
In response to the incident, SonicWall promptly disabled access to the backup feature and implemented infrastructure improvements to enhance system security. A leading third-party incident response firm has been engaged to validate the investigation and findings. Impacted customers and partners have received direct notifications with instructions to secure their devices.
The most current information and guidance are available in a regularly updated Knowledge Base article. SonicWall’s support team remains available to assist customers in applying the necessary security measures.
(Source: HelpNet Security)
