SonicWall has attributed the security breach that occurred in September to state-sponsored hackers, following an investigation by cybersecurity firm Mandiant. The breach exposed firewall configuration files, leading SonicWall to prompt its customers to reset their credentials after the exposure of firewall backup files linked to MySonicWall accounts.
Initially, SonicWall reported that less than 5% of its customers were affected, and claimed that no sensitive files had been leaked. However, by October 8, the firm acknowledged that attackers had accessed the preference files of all firewalls utilizing its MySonicWall cloud backup service. The compromised files contain encrypted credentials and configurations that could facilitate further attacks.
The company has taken steps to notify affected users and provide assessment tools, including updated lists that categorize impacted firewalls by priority to assist with remediation. In its latest updates, SonicWall reiterated the importance of changing passwords and assured that the breach was not related to ongoing Akira ransomware or SSLVPN attacks.
Mandiant’s investigation clarified that the breach did not affect SonicWall products, firmware, tools, source code, or customer networks, stating that the malicious activity was confined to unauthorized access to cloud backup files through a specific API call. SonicWall has implemented Mandiant’s recommendations and is enhancing its systems with assistance from external experts.
Recognizing the growing trend of nation-state-backed cyber attacks targeting cybersecurity providers, especially those catering to small and medium-sized businesses, SonicWall reaffirmed its commitment to maintaining strong security measures for its partners and their customers. The firm’s platform strategy is being adjusted to better align with the evolving threat landscape, ensuring its leadership in cybersecurity remains robust and resilient.