SonicWall this week revealed that a state-sponsored threat actor was behind the September hack in which firewall configuration files were stolen from its cloud backup service.
The company disclosed the incident in mid-September, saying that the attackers had exfiltrated the backup files of less than 5% of its customers.
In an October 8 update, SonicWall revised that number, saying that all firewall preference files stored using its cloud backup service were stolen.
The files, SonicWall warned, contain encrypted credentials and configuration data. Attackers could use them to launch targeted attacks, it said.
The company urged all customers to check if any firewall backups were listed in their MySonicWall.com accounts, to determine if their devices were at risk, and to reset all passwords, as described in the accompanying containment and mitigation documentation.
SonicWall engaged Mandiant to investigate the attack, and notified all impacted partners and customers about the incident. The investigation, it announced this week, has been completed.
“The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall said.
The company also underlined that the attack is unrelated to the recent wave of Akira ransomware intrusions targeting SonicWall firewalls and other edge devices.
“The incident did not impact SonicWall products or firmware. No other SonicWall systems or tools, source code, or customer networks were disrupted or compromised,” the company said.
“SonicWall has taken all current remediation actions recommended by Mandiant and will continue working with Mandiant and other third parties for ongoing hardening of our network and cloud infrastructure,” it added.
SonicWall customers are advised to take immediate action to secure their devices. In mid-October, Huntress warned of a widespread campaign targeting SonicWall SSL VPN accounts, in which valid credentials were likely used for compromise across multiple businesses.
The attacks, the cybersecurity firm said, did not appear linked to the cloud backup incident. However, the sensitive information stored in the stolen files poses a high risk for the impacted organizations.
Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover
Related: Transportation Companies Hacked to Steal Cargo
Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware
Related: On Demand: Threat Detection & Incident Response (TDIR) Summit
