SonicWall has confirmed that an unauthorized party accessed and stole the entire repository of customer firewall configuration backup files from its cloud service.
The confirmation comes after the completion of an investigation with the cybersecurity firm Mandiant, which determined that all customers who used the cloud backup feature are affected by the breach.
The investigation revealed that threat actors successfully exfiltrated .EXP files, which are complete snapshots of a firewall’s configuration data.
These backups contain critical details about a network’s architecture, security policies, and encrypted credentials for various services. While SonicWall stated that the credentials within the files remain encrypted, the broader configuration data is only encoded, making it readable.
Security analysts warn that this gives attackers a detailed blueprint of a target’s security posture, significantly increasing the risk of future targeted attacks.
With this information, threat actors could identify potential vulnerabilities in a network’s setup and attempt to crack the encrypted credentials offline, especially if weak passwords were used.
SonicWall’s Official Response
In response to the incident, SonicWall is notifying all impacted partners and customers and has released tools to assist with assessment and remediation.
The products affected by the SonicWall security breach are any SonicWall firewalls for which the cloud backup feature in MySonicWall[.]com was used.
Within the MySonicWall portal, the company has published updated lists of affected devices, helping customers prioritize their efforts by categorizing each device as “Active – High Priority” (internet-facing), “Active – Lower Priority” (internal-only), or “Inactive.”
The company urges all customers to log in, identify their impacted devices, and begin the remediation process immediately.
SonicWall has implemented additional security hardening measures across its infrastructure and is working with Mandiant to further enhance its cloud security and monitoring systems to prevent similar incidents.
SonicWall has provided customers with a clear path for mitigation, with the primary directive being an “Essential Credential Reset.”
Customers are strongly advised to change all passwords and secrets for any service configured on the affected firewalls.
To aid in this process, SonicWall has published a detailed “Remediation Playbook” and a “SonicWall Online Tool” designed to analyze firewall configurations and identify all services that require credential updates.
The company recommends prioritizing high-priority devices first. For customers needing assistance, a dedicated support team is available through the MySonicWall portal to guide them through the necessary changes and ensure their environments are secured.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
