On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to “less than five percent” of its customers. Now, the firewall provider has admitted that “all customers” using the MySonicWall cloud backup feature were affected.
Consequences of the attack
According to the company, the stolen files contain encrypted credentials and configuration data. “[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks,” SonicWall warns in its press release.
Security specialist Arctic Wolf also warns of the consequences of the incident. “Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,” explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf.
“These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates,” he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks.
Required security measures
SonicWall is currently urging all customers and partners to regularly check their devices for updates. The company has published a list of affected devices on its customer portal under “Product Management > Issue List.”
The devices are classified according to urgency:
“Active — High Priority” for internet-exposed devices
“Active — Lower Priority” for devices without internet access
“Inactive” for devices that have not made contact for 90 days
There is also a detailed playbook that admins can use as a guide.
No Responses