SonicWall pins attack on customer portal to undisclosed nation-state
SonicWall said a state-sponsored threat actor was behind the brute-force attack that exposed firewall configuration files of every customer that used the company’s cloud backup service.
The vendor pinned the responsibility for the attack on an undisclosed nation state Tuesday, after Mandiant concluded its investigation into the incident.
SonicWall did not attribute the attack to a specific country or threat group and Mandiant declined to provide additional information. The vendor’s update, which lacked a root-cause analysis, was mostly an effort to put the attack behind it as leadership made pledges to improve SonicWall’s security practices.
“The malicious activity has been contained and was isolated to our firewall cloud backup service, which stores firewall configuration files in a specific cloud bucket,” SonicWall CEO Bob VanKirk said in a pre-recorded video published alongside the update. “There was no impact to any SonicWall product, firmware, source code, production network, or to any customer data or any other SonicWall system.”
Yet, customer data was impacted because backup firewall configuration files were stolen. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, previously told CyberScoop those files contain a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.”
The vendor’s public disclosures regarding the attack have been convoluted and, in some cases, erroneous. SonicWall played down the scope of compromise in its initial disclosure, framing it as impacting less than 5% of its firewall install base, but walked that assessment back weeks later when Mandiant confirmed the totality of exposure.
SonicWall said Mandiant determined the state-sponsored attacker gained access to the cloud backup files using an API call, but it did not provide further detail.
Other critical details remain unknown, including how many customers were impacted and how long the nation-state attacker maintained access to SonicWall’s customer portal. The company said it detected suspicious activity on MySonicWall.com in September.
The attack on SonicWall’s customer-facing system was disclosed a week after researchers and authorities warned about a fresh burst of about 40 Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls. The company said those attacks impacting customers are unrelated to the attack on SonicWall’s cloud backup environment.
“There is no evidence that this event is related to recent increases in the Akira ransomware attacks on edge devices,” VanKirk said.
SonicWall customers have confronted a series of actively exploited vulnerabilities in SonicWall devices, including four flaws exploited in the wild this year.
Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA.
VanKirk said the company is committed to continuously improve the security of its products and systems, adding that all of Mandiant’s recommended remediations have been enacted or are actively underway.
