Network Firewalls, Network Access Control,
Security Operations
Compromise of Firewall Configuration Files at SonicWall
SonicWall is advising customers to reset their credentials following a security breach where hackers obtained backup firewall configuration files through its cloud service. This incident has raised significant concerns among the cybersecurity community, highlighting vulnerabilities in firewall management.
The company reported on Wednesday that attackers carried out a series of brute-force assaults on its servers, successfully acquiring configuration data for approximately 5% of SonicWall’s installed devices. Although the credentials within these files were encrypted, the data may still provide insights that could facilitate further exploitation of the affected firewalls.
SonicWall noted that there is currently no evidence indicating that the stolen data has been publicly disclosed; however, it appears to be retained by the attackers for possible future exploitation. The implications of this breach are severe, as security experts from Rapid7 indicated that the files may contain critical information, including credentials and service configurations that are vital for the operation of the firewalls.
Rapid7 recently uncovered a related threat campaign associated with the Akira ransomware group that exploits the authentication vulnerability identified as CVE-2024-40766. This vulnerability affects SonicWall’s SonicOS and VPN services, potentially allowing unauthorized users access to VPN functionalities regardless of existing Active Directory protocols. Additionally, the attack vector allows hackers to manipulate SonicWall’s Virtual Office Portal, where multifactor authentication and one-time passwords can be configured.
As per the MITRE ATT&CK framework, initial access techniques were likely employed in this incident, reflecting how attackers exploited existing vulnerabilities to gain entry. The alignment with techniques such as credential dumping and brute-forcing highlights the potential for persistence and privilege escalation within the compromised environments, enabling threat actors to maintain access.
SonicWall has clarified that the current compromise does not seem to be connected to any ransomware activity. Customers are urged to verify if their firewall serial numbers are among the affected devices via MySonicWall.com. If so, the recommendation includes rotating all one-time passwords and multifactor authentication tokens as a precautionary measure.
The incident underscores a troubling trend of cybercriminals targeting edge devices to breach corporate networks. Recently, Google reported a hacking campaign orchestrated by a group known as UNC6148, utilizing a new rootkit named Overstep to compromise fully patched SonicWall appliances. In a separate effort, attackers also propagated counterfeit versions of SonicWall VPN services to deploy credential-stealing malware.
SonicWall’s latest breach serves as a critical reminder of the ongoing cybersecurity risks that businesses face, particularly as cybercrime tactics evolve rapidly. Organizations should remain vigilant, implement robust security measures, and conduct thorough evaluations of their systems regularly to mitigate risks associated with such sophisticated attacks.
