SonicWall has completed its investigation into the security breach reported in September and confirmed that the incident was carried out by a state sponsored threat actor. The breach exposed firewall configuration backup files belonging to customers who stored them in certain MySonicWall accounts.
According to the company, incident response teams from Mandiant determined that the attack did not affect any SonicWall products, firmware, tools, systems or customer networks. The malicious activity was limited to unauthorized access to cloud backup files in a specific cloud environment through an API call.
In its statement, SonicWall said, “The Mandiant investigation is now complete. Their findings confirm that the malicious activity carried out by a state sponsored threat actor was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call.” It added that no other systems or code were compromised.
SonicWall first disclosed the incident on September 17, noting that exposed configuration files could contain sensitive information such as access credentials and tokens. The company warned that this information could make it “significantly easier” for an attacker to target a customer’s firewalls. Customers were advised to reset MySonicWall account credentials, temporary access codes, LDAP, RADIUS or TACACS server passwords, WAN interface passwords and shared secrets for IPSec and GroupVPN configurations.
An update issued on October 9 confirmed that the breach impacted all customers using the cloud backup service for firewall configurations. SonicWall emphasized that the issue was contained and that product safety was not affected.
The company also said that the state sponsored activity had no link to attacks from a ransomware group that targeted SonicWall VPN accounts protected with multifactor authentication in late September. A separate report from a security firm on October 13 mentioned increased malicious activity targeting SonicWall SSLVPN accounts and noted that more than one hundred accounts were compromised using valid credentials. The report found no evidence connecting these incidents to the September breach, and SonicWall has not commented on the matter.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
