State-Sponsored Hackers Breached SonicWall in September
▼ Summary
– State-sponsored hackers breached SonicWall’s cloud environment in September, accessing customer firewall configuration backup files through an unauthorized API call.
– The security breach did not impact SonicWall’s products, firmware, source code, systems, tools, or customer networks, as confirmed by Mandiant’s investigation.
– Exposed configuration files contained sensitive information like credentials and tokens, potentially making it easier for attackers to exploit customer firewalls.
– SonicWall advised all affected customers to reset various account credentials and passwords immediately following the incident.
– The September breach is unrelated to separate attacks on SonicWall VPN accounts by the Akira ransomware gang and other malicious activity involving SSLVPN accounts in October.
A recent investigation into a September security incident at SonicWall has concluded that state-sponsored hackers orchestrated the breach, specifically targeting firewall configuration backup files stored in the company’s cloud environment. Security firm Mandiant, which led the incident response, confirmed the intrusion was limited to unauthorized access of these backup files through an API call. Importantly, the investigation found no evidence that SonicWall’s products, firmware, source code, internal systems, or customer networks were compromised or affected in any way.
SonicWall first disclosed the incident on September 17, noting that certain MySonicWall accounts had firewall configuration backup files exposed. These files can contain highly sensitive information, including access credentials and security tokens, which could make it substantially easier for attackers to exploit a customer’s firewall defenses. In response, the company urgently advised all affected customers to reset a range of credentials, including MySonicWall account passwords, temporary access codes, and secrets for various authentication servers and VPN policies.
By October 9, SonicWall provided an update confirming that the breach impacted every customer using its cloud backup service to store firewall configuration files. The company emphasized that the incident was confined to a specific, isolated segment of its cloud infrastructure and did not threaten the integrity or security of its product offerings. Investigators also confirmed that this state-sponsored activity was unrelated to separate attacks carried out by the Akira ransomware gang, which targeted multi-factor authentication protected SonicWall VPN accounts in late September.
In a more recent development, cybersecurity firm Huntress reported a surge in malicious activity on October 13 targeting SonicWall SSLVPN accounts. Attackers successfully compromised over one hundred accounts using valid login credentials. Huntress found no evidence linking these attacks to the September configuration file exposure, and SonicWall has not issued a public statement regarding this latest wave of incidents. The company continues to assure customers that the earlier breach has been fully contained, with no ongoing risk to product security or customer network safety.
(Source: Bleeping Computer)
