The attackers who brute-forced their way into SonicWall’s firewall cloud backup service accessed configuration backup files of all customers who have used the service, SonicWall stated on Wednesday, following the conclusion of a Mandiant-supported investigation into the incident.
Early reports suggested limited impact
On September 17, SonicWall publicly confirmed the security incident and said that backup firewall preference files for fewer than 5% of its firewall install base had been accessed.
Cory Clark, VP of Threat Operations at SonicWall, acknowledged on Reddit that the attackers gained access to the service by mounting a series of brute force attacks on the cloud backup API service.
SonicWall has yet to say when the attacks began, but at least now customers know for sure that they should perform remediation on all devices whose configuration they have backed up in SonicWall’s cloud.
Credential resets still a crucial step
Judging by some of the comments on Reddit, many customers made that decision (as a precaution) when the initial warning went out.
Those who haven’t have now been advised to log in to their MySonicWall.com account, check which registered firewalls have been impacted, and follow the containment and remediation guidelines and use the remediation playbook.
“Updated and comprehensive final lists of impacted devices are now available in the MySonicWall portal (Navigate to the Product Management > Issue List),” the company says.
“To help prioritize remediation efforts, the lists include a field that identifies each device as either 1) ‘Active – High Priority’ (devices with internet-facing services enabled); 2) ‘Active – Lower Priority’ (devices without internet-facing services); or 3) ‘Inactive’ (devices that have not pinged home for 90 days). Focus on ‘Active – High Priority’ units first, followed by ‘Active – Lower Priority’ second.”
SonicWall stressed that all services with credentials that were enabled at or before the time of backup should be reviewed and the credentials reset, on each impacted device.
The company has also provided users with the option to remediate impacted firewalls through updated preferences files.
What’s in those backup files?
The backed up configuration files contain data on system and device settings; network configurations; routing configurations and rules; firewall rules; enabled security services; VPN configuration, settings and policies; and user and group accounts, credentials, password policies.
The files’ content is encoded, with the exception of credentials and secrets, which are individually encrypted with AES-256 in Gen 7 and newer firewalls and 3DES on Gen 6 firewalls. The file is further encrypted when handled by the MSW Cloud Backup API for storage.
The attackers likely used the API to download the files, and it restores the file to its original encoded state, with credentials and secrets still encrypted. But, as SonicWall notes, “while encryption remains in place, possession of these files could increase the risk of targeted attacks,” since the file includes “information that could make it easier for attackers to potentially exploit the related firewall.”
Clark confirmed that built-in administrator accounts are not included in the backup files, but that it’s “still recommended to update or change these accounts as part of the overall security best practices.”
Despite SonicWall’s assurances that it “has implemented additional security hardening measures and is working closely with Mandiant to further enhance [the company’s] cloud infrastructure and monitoring systems”, it remains to be seen how many customers will switch to storing their firewall configuration backups on their own systems or clouds.
We’ve reached out to SonicWall for additional information, including on when the brute-forcing attack started, and we’ll update this article with relevant details if we receive any.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
