SonicWall has confirmed a significant security breach involving unauthorized access to its cloud service, where a full repository of customer firewall configuration backup files was stolen. The breach was uncovered following an investigation in collaboration with cybersecurity firm Mandiant, which has concluded that all customers utilizing the cloud backup feature are affected.
The investigation revealed that threat actors managed to exfiltrate .EXP files, which are complete backups containing critical details of firewall configurations. These files include key information about network setups, security policies, and encrypted credentials for various services. While SonicWall assures that the credentials remain encrypted, the overall configuration data is only encoded, meaning it can still be read by attackers.
Experts are warning that this exposed information provides attackers with a comprehensive map of a network’s security setup, making it easier for them to launch future targeted attacks. The compromised data could also enable threat actors to exploit vulnerabilities in the network’s configuration or attempt to crack the encrypted credentials offline, particularly if weak passwords were used.
SonicWall’s Official Response
In the wake of the breach, SonicWall is actively notifying all affected customers and partners, and has released tools designed to assist with the assessment and remediation of the incident.
The breach affects any SonicWall firewall that utilized the cloud backup feature on the MySonicWall[.]com platform. SonicWall has provided an updated list of impacted devices within the MySonicWall portal, categorizing them by priority to help customers focus their remediation efforts.
SonicWall urges all customers to log in, check for affected devices, and start the remediation process immediately.
Strengthening Security Measures
To prevent future breaches, SonicWall has taken steps to enhance the security of its infrastructure, working closely with Mandiant to strengthen cloud security and monitoring systems. Additionally, the company has provided clear guidelines for customers on how to mitigate the impact of the breach.
The most critical action for affected users is to perform an “Essential Credential Reset”. This involves changing all passwords and secrets for services configured on the impacted firewalls.
To assist with this, SonicWall has published a “Remediation Playbook” and an “Online Tool” designed to help users analyze their firewall configurations and identify which services require credential updates.
Add a Comment