SonicWall has warned its customers to change their login credentials as soon as possible. A cyberattack on MySonicWall accounts compromised firewall configuration backup files.
SonicWall reports that, after the incident was discovered, the attackers’ access to corporate systems was blocked. The vendor is currently working with cybersecurity agencies and law enforcement to investigate the consequences of the breach.
“As part of our commitment to transparency, we are informing you of an incident that resulted in the compromise of firewall configuration backup files stored in certain MySonicWall accounts,” the company said. “Access to the compromised configuration files could significantly facilitate firewall exploitation by attackers.”
The consequences of the incident could be very serious, as the leaked backups could allow attackers to access credentials and tokens for all services running on SonicWall devices in the victims’ networks.
SonicWall representatives have published detailed recommendations to help administrators minimize the risk of exploiting a stolen configuration. Specifically, they recommend reconfiguring potentially compromised secrets and passwords as soon as possible and monitoring potential attacker activity.
“Please note that passwords, shared secrets, and encryption keys configured in SonicOS may need to be changed elsewhere, such as at your ISP, dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP/RADIUS server, to name a few,” the company notes.
SonicWall representatives said the incident affected less than 5 percent of SonicWall firewalls and that the attackers targeted the cloud backup API service with brute-force attacks.
“Our investigation revealed that less than 5% of our firewalls had cloud-based configuration backups that attackers had access to. While these files contained encrypted passwords, they also contained information that could have facilitated a firewall breach,” the company explained. “We are currently unaware of any public disclosure of these files by the attackers. This was not a ransomware attack or a SonicWall-like attack. Rather, it appears to be a series of brute-force attacks targeting individual accounts with the goal of gaining access to the backup configuration files for further exploitation.”
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
