Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
MySonicWall.com cloud backups exposed; compromised data a "treasure trove for anyone with malicious intent,” says security expert.
Cyber security firm SonicWall has disclosed a serious breach of its cloud backup services for its firewall range, warning that as much as five per cent of its firewall customer base may be affected.
“SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days,” SonicWall said in a September 19 advisory.
“Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5 per cent of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.”
SonicWall has said this is not a ransomware incident, and that it is unaware of any files being maliciously leaked online.
Despite SonicWall’s efforts to play the incident down, Ryan Dewhurst, head of proactive threat intelligence at cyber security company watchTowr, said even five per cent of SonicWall’s customer base could represent a win for any threat actor.
“SonicWall says only about five per cent of its customers are affected, but that five per cent is still a goldmine,” Dewhurst said.
“The leaked backups are a treasure trove for anyone with malicious intent: firewall rules, VPN configs, admin accounts, and authentication secrets – basically perfect reconnaissance material. And if those encrypted passwords are weak, attackers can crack them offline at their leisure. Suddenly, that ‘only five per cent’ starts looking like a much bigger problem.”
The breach impacts SonicWall firewalls with their preferences backed up in MySonicWall.com, and the company recommends immediate remediation “Due to the sensitivity of the configuration files”.
According to cyber security company Rapid7, it’s best to follow SonicWall's guidelines, including resetting any password or token-protected service, including the following:
SonicWall has not been having a great few weeks with its security devices. The company began investigating a malicious campaign targeting its firewall devices in early August, which soon turned out to be the Akira ransomware gang using a bring-your-own-vulnerable-driver (BYOVD) attack against the devices.
By September 11, the Australian Signals Directorate’s Australian Cyber Security Centre issued an alert regarding the Akira activity, noting that Australian organisations were in the firing line.
“We are aware of the Akira ransomware targeting vulnerable Australian organisations through SonicWall SSL VPNs,” the ASD said in a 10 September statement.
“The vulnerability enables an attacker to achieve unauthorised access and, in specific conditions, causes the firewall to crash.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
