SonicWall is warning admins that recent brute force attacks on its firewall’s API service for cloud backup could have exposed backup configuration files stored in its cloud portal.
Affected are SonicWall firewalls with preference files backed up to customers’ MySonicWall.com portal, the company said.
In response, access to the backup capability has been disabled, and admins are urged to disable or restrict access to the SSLVPN Service and Web/SSH Management over the WAN, then reset the firewall’s passwords, keys, and secrets.
Note that passwords and keys may also need to be updated elsewhere, such as with an organization’s internet service provider, dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP/RADIUS server. SonicWall offers full guidance on its website.
If a customer has used the cloud backup feature but there are no serial numbers listed in its MySonicWall account, SonicWall will provide additional guidance in coming days to determine if its backup files were impacted.
SonicWall said in a statement, “less than 5% of our firewall install base had backup firewall preference files stored in the cloud.” It said it has 500,000 customers, but not all subscribe to its firewalls. Still, the 5% estimate could translate into thousands of organizations.
“While the files contained encrypted passwords,” the SonicWall statement said, “they also included information that could make it easier for attackers to potentially exploit firewalls.
“Having the backup is like a treasure trove of puzzle pieces you can put back together to see the security posture and general network access of the device that was backed up,” warned Kellman Meghu, chief security architect at Canadian consultancy and incident response firm DeepCove Cybersecurity.
‘Not ransomware’
As of today, the company isn’t aware of these files having been leaked online by threat actors.
“This was not a ransomware or similar event for SonicWall,” the statement said. “Rather, this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
Users of the MySonicWall.com portal should log in and check whether cloud configuration backups are enabled. The serial numbers of impacted devices are listed for those who do use the capability, so each customer’s portal will be flagged with an information banner.
Wednesday’s warning comes after several national cybersecurity authorities warned that the Akira ransomware gang was exploiting SonicWall firewalls that haven’t installed a 2024 patch for a critical vulnerability.
What are brute force attacks?
Brute force attacks use trial and error to crack passwords, login credentials, and encryption keys. They’ve been around since the beginning of the computer age, yet are still effective.
Why? In part because people still use easily guessable passwords like ‘1234’, or their company’s name, or default passwords left on hardware and software by vendors .
Threat actors have been compiling lists of the most commonly used passwords (famous athletes’ names, famous actors’ names, famous rock band names …), based on years of data breaches, that they sell or share for use in what are called credential-stuffing attacks. A dictionary attack uses a list of words from a dictionary. Hybrid brute force attacks combine a dictionary with lists of stolen passwords.
Modern computing technology also helps threat actors, Meghu pointed out. With today’s low-cost cloud computing resources, any crook can spin up a temporary virtual machine to work at trying every combination against a file. And Picus Security recently reported that even hashed passwords can be easily cracked.
Defenses
Mandating that employees and customers use long passwords of at least 16 letters and numbers is one defense. Even better, said the US National Institute for Standards and Technology (NIST), is encouraging employees to use a passphrase they can remember rather than a jumble of letters.
To discourage users from creating easily-guessable passwords, CSOs should require that employees use a password manager to store their credentials.
Finally, experts advise that the best defense against brute force attacks is phishing-resistant multi-factor authentication, including, for administrators, the use of physical USB keys or biometrics as an extra login step.
“Making brute force irrelevant by using public/private keys — protect those keys!! — or some sort of two-factor authentication is not enough,” said Meghu. “Extra protection should be the norm.
“You generally can’t trust something that is just protected by password,” he said. “Assume at some point compute power will reach a point that it is crackable. To extend that time, use as long a password as you can, 18 characters at a minimum for sensitive data.”
No Responses