SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.
The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers.
“While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall,” the company said.
The network security company said it’s not aware of any of these files being leaked online by the threat actors, adding it was not a ransomware event targeting its network.
“Rather this was a series of brute-force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” it noted. It’s currently not known who is responsible for the attack.
As a result of the incident, the company is urging customers to follow the steps below –
- Login to MySonicWall.com and verify if cloud backups are enabled
- Verify if affected serial numbers have been flagged in the accounts
- Initiate containment and remediation procedures by limiting access to services from WAN, turning off access to HTTP/HTTPS/SSH Management, disabling access to SSL VPN and IPSec VPN, reset passwords and TOTPs saved on the firewall, and review logs and recent configuration changes for unusual activity
In addition, affected customers have also been recommended to import fresh preferences files provided by SonicWall into the firewalls. The new preferences file includes the following changes –
- Randomized password for all local users
- Reset TOTP binding, if enabled
- Randomized IPSec VPN keys
“The modified preferences file provided by SonicWall was created from the latest preferences file found in cloud storage,” it said. “If the latest preferences file does not represent your desired settings, please do not use the file.”
The disclosure comes as threat actors affiliated with the Akira ransomware group have continued to target unpatched SonicWall devices for obtaining initial access to target networks by exploiting a year-old security flaw (CVE-2024-40766, CVSS score: 9.3).
Earlier this week, cybersecurity company Huntress detailed an Akira ransomware incident involving the exploitation of SonicWall VPNs in which the threat actors leveraged a plaintext file containing recovery codes of its security software to bypass multi-factor authentication (MFA), suppress incident visibility, and attempt to remove endpoint protections.
“In this incident, the attacker used exposed Huntress recovery codes to log into the Huntress portal, close active alerts, and initiate the uninstallation of Huntress EDR agents, effectively attempting to blind the organization’s defenses and leave it vulnerable to follow-on attacks,” researchers Michael Elford and Chad Hudson said.
“This level of access can be weaponized to disable defenses, manipulate detection tools, and execute further malicious actions. Organizations should treat recovery codes with the same sensitivity as privileged account passwords.”
