SonicWall has disclosed a security incident affecting the MySonicWall cloud backup service, after detecting suspicious activity targeting firewall backup files.
SonicWall said fewer than 5% of its firewall install base had preference files accessed by threat actors.
Credentials stored in the files were encrypted, but the files could also contain data which makes it easier for hackers to compromise the affected firewall.
Due to the sensitivity of the configuration files impacted, SonicWall is urging customers using the cloud backup service to log into their account and verify if any of their firewalls are flagged as at risk.
“Upon login, affected serial numbers will be flagged with an informational banner,” the company said in an advisory.
“If you have used the cloud backup feature but there are no serial numbers listed in your MySonicWall account, SonicWall will provide additional guidance in coming days to determine if your backup files were impacted.”
SonicWall’s statement is available here. Technical containment and mitigation documentation is available here.
“This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” the company said.
BleepingComputer reports that SonicWall has “Cut off the attackers’ access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack’s impact.”
Customers using the cloud backup feature are advised to log in to MySonicWall, check for flagged serial numbers, and follow SonicWall’s containment and remediation guidance.
The company has set up a dedicated support team to assist customers and will issue further guidance in the coming days. A community discussion is also underway on Reddit.
Read more
