SonicWall urges customers to reset their credentials after the firewall configuration backup files are exposed in a security breaches affecting MySonicWall accounts.
The company said that suspicious activity targeting the firewall’s cloud backup service was recently detected, with unknown threat actors accessing backup firewall priority files stored in the cloud with less than 5% of customers.
“The credentials in the file were encrypted, but the file also contains information that allows attackers to potentially leverage the associated firewall,” the company said.
The network security company said it was unaware that these files were leaked online by threat actors, adding that it was not a ransomware event targeting the network.
“In fact, this was a series of brute force attacks aimed at gaining access to preferred files stored in backups for the possibility of further use by threat actors.” It is currently unknown who is responsible for the attack.
As a result of the incident, the company is urging its customers to follow the steps below –
- Log in to mysonicwall.com and check if cloud backup is enabled
- Check if the affected serial number is flagged for your account
- Start containment and repair steps by restricting access to services from the WAN, turning off access to HTTP/HTTPS/SSH management, disabling access to SSL and IPSEC VPNs, resetting passwords and TOTPS stored in the firewall, and checking for abnormal activity logs and recent configuration changes.
Additionally, it is recommended that you import fresh configuration files provided by SonicWall into your firewall. The new configuration file contains the following changes –
- Randomized passwords for all local users
- If enabled, reset the TOTP binding
- Randomized IPSEC VPN Keys
“The modified configuration files provided by SonicWall were created from the latest configuration files in cloud storage.” “Do not use the file if the latest configuration file does not represent the desired settings.”
This disclosure is because threat actors belonging to the Akira Ransomware group continue to target untargeted Sonic Wall devices in order to gain initial access to the target network by leveraging the security flaws of a year ago.
Earlier this week, cybersecurity company Huntress detailed an Achira ransomware incident involving the exploitation of Sonic Wall VPN, where threat actors leverage plain text files containing recovery codes for security software (MFA) to suppress incident visibility and remove endpoint protection.
“In this incident, the attacker attempted to use the exposed Huntress recovery code to log in to the Huntress portal, close active alerts, initiate an uninstallation of the Huntress EDR agent, effectively blind the organization’s defenses, and remain vulnerable to subsequent attacks.
“This level of access can be weaponized to disable defenses, manipulate detection tools, and perform malicious actions. Organizations must handle recovery codes with the same sensitivity as privileged account passwords.”
