Between attackers exploiting 0-day and n-day vulnerabilities in the company’s firewalls and Secure Mobile Access appliances, SonicWall and its customers have had a tough year.
And, unfortunately for them, the troubles are not over: unknown attackers have managed to brute-force their way into SonicWall’s cloud backup service for firewalls and access backup firewall preference files for “fewer than 5% of our firewall install base,” SonicWall has disclosed on Wednesday.
“We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
A SonicWall backup firewall preferences file contains the complete configuration of the firewall at the time of export:
- System and device settings
- Network configurations
- Routing configurations and rules
- Firewall rules and enabled security services
- VPN configuration, settings and policies
- User and group accounts, credentials, password policies, and more.
“While credentials within the files were encrypted, the [accessed backup firewall preference files] also included information that could make it easier for attackers to potentially exploit the related firewall,” the company noted.
SonicWall has urged customers to log into the MySonicWall portal and check if cloud backups are enabled for the firewalls they are using.
If they haven’t, this incident will not affect them, but if they have, they should follow the containment and remediation guidelines, and this remediation playbook.
The guidelines are extensive, and SonicWall has tried to make the process easier by providing new preferences files for importing into affected firewalls.
These are based on users’ latest preferences file found in cloud storage, but with local user passwords and IPSec VPN keys randomized and the TOTP binding reset (if it was enabled).
“IPSec VPN pre-shared keys will need to be reconfigured manually to restore functionality after importing the preferences. Users with TOTP bindings will have them reset along with their password,” the company warns, and advises customers to import the preferences “during a maintenance window, off-hours, or during times of minimal activity as importing preferences causes an immediate firewall reboot to apply the new configuration.”
Nevertheless, all of this could take a while and, depending on how many firewalls an organization uses, it could be quite a time-consuming endeavor.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
