SonicWall warned prospects in the present day to reset credentials after their firewall configuration backup recordsdata had been uncovered in a safety breach that impacted MySonicWall accounts.
After detecting the incident, SonicWall has minimize off the attackers’ entry to its programs and has been collaborating with cybersecurity and regulation enforcement businesses to research the assault’s impression.
“As a part of our dedication to transparency, we’re notifying you of an incident that uncovered firewall configuration backup recordsdata saved in sure MySonicWall accounts,” the cybersecurity firm mentioned on Wednesday. “Entry to the uncovered firewall configuration recordsdata include data that might make exploitation of firewalls considerably simpler for risk actors.”
The implications of the incident might be dire, as these uncovered backups would possibly give risk actors entry to delicate data, comparable to credentials and tokens, for all or any companies operating on SonicWall gadgets on their networks.
SonicWall has additionally printed detailed steering to assist directors decrease the chance of an uncovered firewall configuration being exploited to entry their networks, reconfigure probably compromised secrets and techniques and passwords, and detect attainable risk exercise inside their community.
“The next guidelines offers a structured strategy to make sure all related passwords, keys, and secrets and techniques are up to date constantly. Performing these steps helps keep safety and shield the integrity of your SonicWall setting. The important gadgets are listed first. All different credentials ought to be up to date at your comfort,” the corporate cautioned.
“Please notice that the passwords, shared secrets and techniques, and encryption keys configured in SonicOS may additionally should be up to date elsewhere, comparable to with the ISP, Dynamic DNS supplier, electronic mail supplier, distant IPSec VPN peer, or LDAP/RADIUS server, simply to call a number of.”
This steering advises directors to disable or prohibit entry to companies on the gadget from the WAN earlier than resetting credentials. Then they should reset all credentials, api keys, and authentication tokens utilized by customers, VPN accounts, and companies.
A whole record of the companies that should be reset because of the stolen configuration recordsdata is listed on this Important Credential Reset assist bulletin.
A SonicWall spokesperson has instructed BleepingComputer that the incident impacts fewer than 5% of SonicWall firewalls and that the attackers focused the API service for cloud backup in brute-force assaults.
“Our investigation decided that lower than 5% of our firewall set up base had backup firewall desire recordsdata saved within the cloud for these gadgets accessed by risk actors. Whereas the recordsdata contained encrypted passwords, additionally they included data that might make it simpler for attackers to probably exploit firewalls,” the spokesperson mentioned.
“We aren’t presently conscious of those recordsdata being leaked on-line by risk actors. This was not a ransomware or comparable occasion for SonicWall, reasonably this was a sequence of account-by-account brute drive assaults geared toward having access to the desire recordsdata saved in backup for potential additional use by risk actors.”
In August, SonicWall dismissed studies that the Akira ransomware gang was breaching Gen 7 firewalls with SSLVPN enabled utilizing a possible zero-day exploit, stating that it was really linked to CVE-2024-40766, a important SSLVPN entry management flaw in SonicOS that was patched in November 2024.
Final week, the corporate’s principle was confirmed when the Australian Cyber Safety Middle (ACSC) and cybersecurity agency Rapid7 confirmed that the Akira ransomware gang is now exploiting the CVE-2024-40766 vulnerability to compromise unpatched SonicWall gadgets.
Replace September 17, 14:33 EDT: Added SonicWall assertion.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
