SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files stored in its cloud for all customers who have used the cloud backup service. The company said the files contain encrypted credentials and configuration data and that while encryption remains in place, possession of the files could increase the risk of targeted attacks.
SonicWall said it is working to notify partners and customers, has released tools to assist with device assessment and remediation, and is urging users to log in to their accounts to check for affected devices. The disclosure follows an earlier advisory in which SonicWall urged customers to reset credentials after backup files were exposed in a breach affecting MySonicWall accounts.
The MySonicWall portal lists impacted devices and assigns priority labels to help customers prioritize remediation: ‘Active – High Priority’ for devices with internet-facing services enabled, ‘Active – Lower Priority’ for devices without internet-facing services, and ‘Inactive’ for devices that have not pinged home for 90 days.
The latest post-mortem represents an about-face from an initial assessment that said threat actors had accessed backup preference files for less than 5% of customers and that encrypted credentials in those files could still make exploitation easier. SonicWall has not disclosed how many customers use the cloud backup service, when the attacks began or who is behind the activity, but said it has hardened infrastructure, added logging and introduced stronger authentication controls to reduce the chance of a repeat.
SonicWall advised customers to log in to MySonicWall, verify whether cloud backups exist for registered firewalls and check whether backup fields are blank; blank fields indicate no impact. If backup details appear, users should verify whether impacted serial numbers are listed in their accounts, and if serial numbers are shown they should follow the containment and remediation guidelines provided by the company. SonicWall said it will provide additional guidance where customers have used Cloud Backup but see no serial numbers or only some listed.