SonicWall recently alerted its customers to reset their passwords after detecting suspicious activity targeting the company’s MySonicWall.com cloud backup service for its firewalls. The security team identified that threat actors gained access to backup firewall preferences, stored in the cloud, on less than 5% of SonicWall’s installed base.
Although credentials were encrypted, the files also contained information that made it easier for attackers to potentially exploit the firewalls. However, SonicWall has not yet detected these files being leaked online by threat actors.
The incident was a series of brute-force attacks aimed at gaining access to the preference files stored in backup. Shane Barney, chief information security officer at Keeper Security, emphasized that even with encrypted credentials, the combination of firewall configuration details can provide an “attack roadmap” for adversaries.
To mitigate this risk, SonicWall recommends resetting administrator logins, VPN access, and services or integrations connected to devices during backups. Organizations should also rotate credentials immediately, enforce multi-factor authentication, review privileged accounts, and reduce the attack surface.
Source: https://www.scworld.com/news/sonicwall-customers-told-to-reset-passwords-following-cloud-backup-service-breach