SonicWall recently revealed that a state-sponsored threat actor was responsible for the September security incident where firewall configuration files were stolen from its cloud backup service. Initially, the company reported that the attackers had exfiltrated backup files from less than 5% of its customers. However, in an October 8 update, SonicWall revised that figure, confirming that all firewall preference files stored using its cloud backup service were compromised and stolen in the attack.
The company warned that the stolen files contain highly sensitive data, specifically encrypted credentials and configuration data. SonicWall explicitly cautioned that attackers could leverage this information to launch targeted attacks against impacted organizations. Consequently, the company strongly urged all customers to check their MySonicWall.com accounts to determine if their firewall backups were listed, as this would indicate their devices were at risk. Most critically, they advised all affected customers to reset all passwords immediately, following the detailed steps in the accompanying containment and mitigation documentation.
To thoroughly investigate the breach, SonicWall engaged the cybersecurity firm Mandiant, and the company immediately notified all affected partners and customers about the incident. SonicWall announced this week that the investigation has been completed. The firm confirmed that the malicious activity was “isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” and explicitly stated that the attack did not impact any SonicWall products or firmware itself. Furthermore, it stressed that no other SonicWall systems, source code, or customer networks were disrupted or compromised.
SonicWall also took care to underline that this incident is unrelated to a recent wave of Akira ransomware intrusions that have been targeting SonicWall firewalls and other edge devices. The company affirmed it has “taken all current remediation actions recommended by Mandiant” and will continue to work with them and other third parties for the ongoing hardening of its network and cloud infrastructure. Despite the attack being isolated, the fact that a state-sponsored actor was involved highlights the serious nature of the intrusion.
The sensitive information contained within the stolen files poses a significant high risk for impacted organizations, making customer action paramount. This urgency is compounded by a separate warning issued in mid-October by Huntress, which flagged a widespread campaign targeting SonicWall SSL VPN accounts. That campaign, which the cybersecurity firm stated did not appear linked to the cloud backup incident, likely used valid credentials to compromise multiple businesses. Therefore, SonicWall customers are advised to take immediate and decisive action to secure their devices and reset credentials.
Reference:
