Urgent Action Required for Affected Customers

In a recent security revelation that has sent ripples through the cybersecurity community, SonicWall has issued an urgent advisory to its customers following a breach that exposed firewall configuration backup files. The incident, which impacted a small percentage—less than 5%—of MySonicWall accounts, involved unauthorized access to cloud-stored firewall preference files. While the company has stated that embedded credentials within these files were encrypted, the breach included other sensitive information that could potentially make it easier for attackers to exploit the related firewalls. This event underscores the persistent threats organizations face in safeguarding their critical network infrastructure.

SonicWall has clarified that this was not a ransomware attack, nor does it appear that any of the compromised files have been leaked publicly by the malicious actors. Instead, the company described the incident as a “series of brute-force attacks” specifically aimed at gaining entry to the preference files for potential future misuse. The identity of those responsible for this targeted assault remains unknown, adding a layer of mystery to an already concerning situation.

What Happened and What You Need to Do

The core of the breach involved threat actors successfully accessing cloud backup services where SonicWall firewalls store their configuration preferences. Although passwords in these files were encrypted, other data within them could still be valuable to an attacker looking to gain a foothold. This type of information could include details about network setups, user accounts, and other critical configurations that, if understood by an adversary, could streamline their efforts to bypass security measures.

As a direct consequence of this security lapse, SonicWall is strongly advising all its customers to take immediate and decisive action. The company has outlined a series of steps to mitigate the risks and prevent further compromise:

Firstly, users should log into their MySonicWall.com accounts to confirm if cloud backups for their firewalls are active. This initial check is crucial to determine if their devices might have been affected. Secondly, customers need to verify if any of their firewall serial numbers have been flagged within their accounts as compromised.

Following these checks, it’s essential to implement containment and recovery procedures. This includes restricting external access (from the internet, or WAN) to services, especially management interfaces like HTTP, HTTPS, and SSH. Additionally, access to SSL VPN and IPSec VPN should be disabled temporarily. A critical step is to reset all passwords and any one-time password (TOTP) settings saved on the firewall. Finally, a thorough review of system logs and recent configuration changes is recommended to identify any unusual or unauthorized activity.

Taking Action: Steps to Secure Your SonicWall Firewall

Given the potential risks, SonicWall customers must act promptly. Here’s a clear breakdown of the actions you should take:

1. Check Your MySonicWall Account: Immediately log in to MySonicWall.com. Verify if the cloud backup feature for your firewalls is enabled. This will help you understand if your device configurations could have been part of the affected systems.
2. Identify Compromised Devices: Within your MySonicWall account, look for any flags or notifications indicating that specific firewall serial numbers have been identified as potentially compromised.
3. Implement Containment Measures:
   • Limit WAN Access: Restrict access to your firewall management services (like HTTP, HTTPS, and SSH) from the public internet (WAN). Ideally, these should only be accessible from trusted internal networks.
   • Disable VPNs: Temporarily disable access to both SSL VPN and IPSec VPN services on your firewall. This prevents attackers from using these channels to gain unauthorized entry.
4. Reset Credentials and Security Tokens:
   • Change All Passwords: Reset all passwords for local users configured on your firewall. Choose strong, unique passwords for each account. This is a critical step to prevent unauthorized access.
   • Reset TOTPs: If you use Time-based One-Time Passwords (TOTP) for multi-factor authentication, reset their bindings to generate new security tokens.
5. Review and Monitor:
   • Examine Logs: Thoroughly review your firewall’s logs for any unusual or suspicious activity. Look for failed login attempts, unexpected configuration changes, or access from unknown IP addresses.
   • Configuration Audits: Check recent configuration changes to ensure no unauthorized modifications have been made to your firewall’s settings.

Importing New Preferences and Understanding the Risks

In a move to help customers secure their systems, SonicWall has also recommended that affected users import fresh preference files directly provided by the company into their firewalls. These newly generated preference files include vital security enhancements:

• Randomized passwords for all local user accounts, removing any predictability.
• Reset TOTP binding, if multi-factor authentication was previously enabled, ensuring new security tokens are generated.
• Randomized IPSec VPN keys, vital for securing virtual private network connections.

It’s important to note that these modified preference files are created from the most recent backup found in cloud storage. SonicWall advises caution: if this latest backup does not align with your desired firewall settings, it might be better not to use the file directly and instead manually reconfigure your settings after a full security audit.

A Broader Threat Landscape: Akira Ransomware and MFA Bypass

This incident with MySonicWall accounts arrives amidst a broader context of ongoing cyber threats. Notably, threat actors associated with the Akira ransomware group have been persistently targeting unpatched SonicWall devices. They exploit a vulnerability (CVE-2024-40766), which has a high severity score, to gain initial entry into target networks. This highlights a continuous cat-and-mouse game between cybersecurity defenders and attackers, where known vulnerabilities are often exploited even after patches are available.

Earlier this week, cybersecurity firm Huntress shed light on an Akira ransomware attack where SonicWall VPNs were compromised. In a particularly alarming turn, the attackers used a plaintext file containing recovery codes for security software to bypass multi-factor authentication (MFA). Once inside, they not only suppressed alerts but also attempted to uninstall endpoint protection agents, essentially blinding the organization’s defenses and leaving it wide open for further attacks.

This incident serves as a stark warning: recovery codes for security software must be treated with the same level of care and secrecy as high-privilege account passwords. Their exposure can grant attackers an almost unrestricted ability to dismantle defenses, manipulate detection tools, and carry out far more damaging malicious actions. The SonicWall breach, coupled with the Akira ransomware attacks, paints a clear picture of the sophisticated and relentless nature of current cyber threats, emphasizing the need for robust security practices and immediate response to any potential compromises.