SonicWall, a prominent network security firm, has recently identified a security incident involving unauthorized access to its cloud backup service for firewalls. This breach has affected less than 5% of its customer base, prompting the company to recommend immediate credential resets and the implementation of enhanced security measures.
Incident Overview
The company detected unusual activity targeting its cloud backup service, leading to unauthorized access to backup firewall preference files stored in the cloud. Although the credentials within these files were encrypted, the files contained information that could potentially facilitate exploitation of the associated firewalls. SonicWall has stated that, to date, there is no evidence of these files being leaked online, and the incident does not appear to be a ransomware attack. Instead, it seems to have been a series of brute-force attempts aimed at accessing the backup files for potential misuse. The identity of the perpetrators remains unknown.
Recommended Actions for Customers
In response to this incident, SonicWall has outlined several steps for affected customers to mitigate potential risks:
1. Verify Cloud Backup Status: Customers should log into their MySonicWall.com accounts to check if cloud backups are enabled.
2. Check for Affected Serial Numbers: Review account details to identify any flagged serial numbers indicating potential compromise.
3. Implement Containment and Remediation Measures:
– Restrict access to services from the Wide Area Network (WAN).
– Disable access to management interfaces such as HTTP, HTTPS, and SSH.
– Turn off access to SSL VPN and IPSec VPN services.
– Reset all passwords and Time-based One-Time Passwords (TOTPs) stored on the firewall.
– Examine logs and recent configuration changes for any signs of unusual activity.
Additionally, SonicWall recommends importing fresh preference files provided by the company into the firewalls. These updated files include:
– Randomized passwords for all local users.
– Reset TOTPs, if enabled.
– Randomized IPSec VPN keys.
It’s important to note that these modified preference files are created from the latest versions found in cloud storage. If the latest file does not reflect the desired settings, customers are advised not to use it.
Contextual Background
This disclosure comes amid ongoing cybersecurity threats targeting unpatched SonicWall devices. Notably, the Akira ransomware group has been exploiting a known security vulnerability (CVE-2024-40766, CVSS score: 9.3) to gain initial access to target networks. This vulnerability, identified in August 2024, involves improper access control in SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash.
In a recent incident detailed by cybersecurity firm Huntress, attackers associated with the Akira ransomware group exploited SonicWall VPNs. They leveraged a plaintext file containing recovery codes of security software to bypass multi-factor authentication (MFA), suppress incident visibility, and attempt to remove endpoint protections. This level of access can be weaponized to disable defenses, manipulate detection tools, and execute further malicious actions. Organizations are advised to treat recovery codes with the same sensitivity as privileged account passwords.
Broader Implications and Industry Response
The SonicWall incident underscores the critical importance of robust cybersecurity practices, especially concerning cloud services and backup systems. Similar breaches have occurred in the past, highlighting the need for vigilance:
– Dell’s Security Incident (2018): Dell detected unauthorized activity on its network attempting to steal customer information, including names, email addresses, and hashed passwords. As a precaution, Dell reset passwords for all accounts on Dell.com, emphasizing the importance of proactive measures even when evidence of data extraction is inconclusive.
– Slack’s Password Reset (2019): Slack reset passwords for users who hadn’t changed them since a 2015 breach. This action was taken after discovering a new list of username and password combinations matching those of its users, highlighting the risks associated with password reuse and the importance of regular password updates.
– Hostinger’s Data Breach (2019): Web hosting company Hostinger suffered a data breach affecting 14 million users. The breach involved unauthorized access to a server containing an authorization token, which was used to escalate privileges to the company’s RESTful API Server. In response, Hostinger reset passwords for all affected users and implemented additional security measures.
These incidents highlight the evolving nature of cyber threats and the necessity for organizations to adopt comprehensive security strategies, including regular software updates, strong password policies, multi-factor authentication, and continuous monitoring for suspicious activities.
Conclusion
SonicWall’s recent security breach serves as a stark reminder of the persistent threats facing network security infrastructure. Organizations must remain vigilant, promptly address vulnerabilities, and implement robust security measures to protect sensitive information. By following SonicWall’s recommended actions and staying informed about potential threats, customers can enhance their security posture and mitigate the risks associated with such incidents.
