SonicWall on Wednesday said it completed an investigation that showed hackers were able to gain access to firewall configuration backup files for all customers that used the company’s MySonicWall cloud backup service.
The probe was completed with Mandiant, the cybersecurity incident response arm of Google Cloud.
The files contained encrypted credentials and configuration data, according to the company, which noted that while encryption remains, there is a heightened risk of targeted attacks.
The company is racing to notify partners and customers who have been impacted. SonicWall has also released tools to help assess the situation and remediate the danger.
The investigation raises serious questions about the prior disclosures from SonicWall about the scope of the attacks.
In September the company warned about hackers conducting brute force attacks in order to access the cloud backup service.
SonicWall at the time said only 5% of the firewall configuration backup files were impacted by the attack. The company did not explain how they could have gone from such a low estimate to 100%, and they did not immediately respond to followup questions about the discrepancy.
The incident was considered so urgent that the Cybersecurity and Infrastructure Security Agency released an advisory in September urging users to log into their customer accounts to determine whether they were at risk.
Researchers at Arctic Wolf said in a blog post that users should prioritize resetting credentials on live firewall devices.
Arctic Wolf researchers pointed out that firewall configuration files contain sensitive information, including user, group and domain settings, as well as DNS and log settings. Nation-state actors and ransomware groups steal this type of information for use in future attacks.
SonicWall said it has posted a comprehensive list of impacted devices in the MySonicWall portal.
SonicWall is working with Mandiant to enhance its cloud infrastructure and monitoring systems, a spokesperson for SonicWall said on Thursday. Officials from Mandiant declined to comment.
