SonicWall Firewall Config Cloud Backups Compromised

Latest Posts
News
Threats
Vulnerabilities

SonicWall Firewall Config Cloud Backups Compromised

by Mike Puglia

3 min read

SonicWall has announced that threat actors accessed backup firewall preference files stored in the MySonicWall Cloud which exposes admin credentials and other information that could make it easier for attackers to potentially exploit the related firewall.  This only impacts customers who have enabled the Cloud Backup Feature on their SonicWall Firewalls.  If this feature is enabled, SonicWall makes several recommendations – the most important being to reset credentials on the impacted firewalls.  Full details and remediation steps are available from SonicWall at:

https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

Determine If You Are Impacted

This compromise only affects users who have enabled Cloud Backup of their firewall preference files and can be determined by logging into your MySonicWall and seeing if any cloud backups exist for your firewalls. If backups exist, reviewing the Product Management->Issue List which contains serial numbers of firewalls where SonicWall has seen suspicious activity involving the configuration files that were in the cloud.

Screenshots from SonicWall below:

Required Actions (If Impacted)

SonicWall provides detailed steps to Contain, Remediate and Monitor firewalls that were impacted by the cloud backup compromise.  All steps provided in the vendor link below should be followed:

https://www.sonicwall.com/support/knowledge-base/essential-credential-reset/250909151701590

At a high level, they recommend the following actions:

Disable Access via the WAN (which should always be the case – do not allow admin access to the GUI directly over the internet)

Reset User Credentials, TOTP and the shared secrets in all IPSec policies

Update passwords used for the WAN connection to the ISP (L2TP/PPoE/PPTP)

Review Audit Logs on impacted firewalls (Monitor->Logs->Auditing Logs) for unusual activity (i.e. all admin logins, configuration changes, etc…)

Kaseya’s RocketCyber Monitoring

Kaseya’s RocketCyber Managed SOC monitors SonicWall firewalls. Due to this breach, we have enabled incidents to be created for any SonicWall Administrator Login that was Denied and Administrator Login Successful activities. This will aid customers in determining if threat actors are attempting to or have gained access to the firewall.

The SonicWall Administrator Login Denied message is set by SonicWall at the “Alert” severity level by default and will captured by RocketCyber.

The SonicWall Administrator Login Successful message is set by SonicWall at the “Info” severity level by default and will not be captured by RocketCyber unless within SonicWall you change that log message severity to “Error” OR in RocketCyber you change the Firewall Log Analyzer App configuration to capture firewall events that are “Info” severity or higher as shown in the screenshot below:

Mike Puglia

General Manager, Security Products

Mike Puglia brings over 25 years of technology, strategy, and cybersecurity experience to his role as Kaseya’s General Manager of Security Products. He is responsible for all products across Kaseya’s portfolio of security solutions.

Prior to joining Kaseya, Mike led the technical program management integration of real-time collaboration technologies into Salesforce’s Chatter Social Enterprise platform. Earlier in his career, Mike served in technical and product roles at applications security company Veracode, database security company Lumigent Technologies and network security Bluesocket.

Mike holds a Bachelor of Science in Electrical Engineering from the University of New Hampshire and an MBA from the Carroll Graduate School of Management at Boston College.