Hackers breach SonicWall's security to obtain sensitive configuration details
SonicWall, a leading network security provider, has confirmed a security incident affecting its cloud backup service for firewalls. The incident involved suspicious activity targeting the iCloud backup service, leading to a breach that affected the organization.
According to reports, a careless engineer stored recovery codes in plaintext, leaving a backdoor open for attackers. This oversight led to the breach, affecting the entire organization. SonicWall has since engaged a third-party IR and consulting firm to validate its findings and help review affected environments.
The breach, however, was not a ransomware or similar event. Instead, it was the result of brute-force attacks aimed at gaining access to the preference files stored in the iCloud backup. Customers using the iCloud backup service are instructed to log into MySonicWall, verify their registered device serial numbers, and follow the mitigation guidance provided.
The guidance includes regenerating keys, changing admin passwords, and re-importing secure configurations. SonicWall has also disabled the iCloud backup feature, rotated internal keys, and implemented infrastructure and process changes to prevent a repeat.
Researchers have warned that the Akira ransomware crew has been abusing SonicWall gear in post-compromise attacks. Additionally, criminals are hijacking fully patched SonicWall VPNs to deploy a stealthy backdoor and rootkit. Users are warned of a fake SonicWall VPN app that steals credentials.
SonicWall's investigation is ongoing, with the company promising "full transparency" and updating its Knowledge Base before public announcements. Fewer than 5% of SonicWall's firewall installed base had preference files accessed.
The breach adds to the bad news for firewall vendors this summer. SonicWall support teams have been mobilized to walk impacted customers through the process of securing their systems. The company urges administrators to review their environments and apply the published guidance as soon as possible.
At the time of writing, SonicWall has not seen evidence that the stolen files have been published or weaponized. The company reassures its customers that it is committed to maintaining the highest levels of security and will continue to work diligently to protect its users.
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
- Malicious applications with 38 million installs on Google Play have been removed; here's what you can do to ensure your device's security.
- Business Woes Unveiled: The Sticky Situation of PCI Compliance Revealed as a Valuable Ally for Your Enterprise
