SonicWall customers told to reset credentials following firewall data breach

Threat actors brute-forced SonicWall’s cloud portal, accessing encrypted firewall configuration backups
Up to 25,000 organizations may be affected; SonicWall urges immediate credential resets
No data leaks yet confirmed; but third-party experts and law enforcement are now involved

SonicWall is urging its firewall customers to reset their passwords after confirming it suffering a security incident which may have exposed their data.

In a security announcement, SonicWall outlined how unnamed threat actors brute-forced their way into the company’s MySonicWall cloud service.

This tool allows SonicWall firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or admin usernames and passwords (if stored in config).

Thousands of potential victims

“While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall,” the company explained.

In theory, the attackers could brute-force or decrypt the secrets, extracting credentials used in services tied to the firewall, understand network topology and rules – bypassing defenses more easily, and launch targeted attacks using insider knowledge on how the firewalls are configured.

SonicWall said “fewer than 5%” of its customer base was affected by this attack – however the latest figures from the company claims it services roughly 500,000 customers globally, (although that doesn’t mean that all of them are using firewall, or cloud backup services) – so, the worst case scenario would put the number of affected organizations at around 25,000.

So far, no groups claimed responsibility for this attack, and the data has not surfaced anywhere on the dark web.

“We are not presently aware of these files being leaked online by threat actors,” SonicWall explained. ”This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”

After the breach, SonicWall managed to oust the attackers and has brought in third-party security experts to bolster its defenses. Law enforcement has also been notified.