A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post.
“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.
The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack.
Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added.
SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years.
Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.
The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.
“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said.
“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”
SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.
