SonicWall Firewall Backups Compromised by Attackers

A recent security incident involving SonicWall’s firewall cloud backup service has raised significant concerns for its customer base. Following an investigation supported by cybersecurity firm Mandiant, SonicWall confirmed that attackers successfully brute-forced their way into the cloud backup API service, accessing configuration backup files for every customer who had utilized the service. This revelation comes after initial statements suggested a much more limited scope of impact.

When SonicWall first publicly acknowledged the security breach on September 17th, the company indicated that backup files for fewer than five percent of its firewall installations had been compromised. Cory Clark, SonicWall’s Vice President of Threat Operations, later clarified on a Reddit forum that the intrusion was the direct result of a series of brute force attacks targeting the cloud backup API. The exact start date of these attacks remains undisclosed, but the confirmation means customers must now undertake remediation on any device with a configuration backed up to SonicWall’s cloud.

Many users took precautionary steps immediately after the initial warning was issued. For those who did not, SonicWall is now advising all customers to log into their MySonicWall.com account. There, they can identify which of their registered firewalls were affected and follow the detailed containment and remediation guidelines, including the use of a provided playbook. The company has made updated and comprehensive lists of impacted devices available within the MySonicWall portal under the Product Management > Issue List section. To assist with prioritization, these lists categorize devices as ‘Active – High Priority’ for units with internet-facing services, ‘Active – Lower Priority’ for those without, and ‘Inactive’ for devices that have not communicated with the service in 90 days. The critical first step for all impacted devices is to review and reset credentials for every service that was enabled at the time of the backup.

For remediation, users have the option to address impacted firewalls using updated preference files provided by SonicWall. Understanding what was exposed is vital for assessing the risk. The compromised configuration backup files contain a wealth of sensitive data, including system and device settings, network and routing configurations, firewall rules, enabled security services, VPN settings and policies, and user/group accounts along with their credentials and password policies. While the file content is encoded, and credentials and secrets are individually encrypted using AES-256 on Gen 7 and newer firewalls or 3DES on Gen 6 models, possession of these files still presents a risk. The files are further encrypted by the cloud backup API for storage.

Although the attackers likely downloaded the files via the API, which restores them to their original encoded state with credentials still encrypted, SonicWall cautions that having these files could facilitate targeted attacks. The information within could make it easier for malicious actors to exploit the related firewall. Clark did confirm that built-in administrator accounts are not included in the backups, but he still recommends updating these accounts as part of standard security best practices.

While SonicWall has announced the implementation of additional security hardening measures and continues to work with Mandiant to enhance its cloud infrastructure and monitoring, the event may prompt a strategic shift for many organizations. It remains to be seen how many customers will now choose to store their firewall configuration backups on their own internal systems or private clouds, moving away from the vendor’s managed service. The company has been contacted for further details, including the timeline of the brute-force attacks, and this information will be added as it becomes available.

(Source: HelpNet Security)