SonicWall urges customers to reset their credentials after the firewall configuration backup files are exposed in a security breaches affecting MySonicWall accounts.
The company said that suspicious activity targeting the firewall’s cloud backup service was recently detected, with unknown threat actors accessing backup firewall priority files stored in the cloud with less than 5% of customers.
“The credentials in the file were encrypted, but the file also contains information that allows attackers to potentially leverage the associated firewall,” the company said.
The network security company said it was unaware that these files were leaked online by threat actors, adding that it was not a ransomware event targeting the network.
“In fact, this was a series of brute force attacks aimed at gaining access to preferred files stored in backups for the possibility of further use by threat actors.” It is currently unknown who is responsible for the attack.
As a result of the incident, the company is urging its customers to follow the steps below –
Log in to mysonicwall.com and check if cloud backup is enabled, check if the affected serial number is flagged in your account. Begin containment and repair procedures by restricting access to services from the WAN, turning off access to HTTP/SSH management, and disabling reviews for SSL VPNs and IPSEC VPNs and OTTPS that have deprecated support for SSL VPNs and IPSEC for SSL VPNs and IPSEC for RESET SAIPANDS SAIPANDS. Unusual activities
Additionally, it is recommended that you import fresh configuration files provided by SonicWall into your firewall. The new configuration file contains the following changes –
Randomized passwords for all local users, if enabled, reset the TOTP binding to reset the randomized IPSEC VPN key
“The modified configuration files provided by SonicWall were created from the latest configuration files in cloud storage.” “Do not use the file if the latest configuration file does not represent the desired settings.”
This disclosure is because threat actors belonging to the Akira Ransomware group continue to target untargeted Sonic Wall devices in order to gain initial access to the target network by leveraging the security flaws of a year ago.
Earlier this week, cybersecurity company Huntress detailed an Achira ransomware incident involving the exploitation of Sonic Wall VPN, where threat actors leverage plain text files containing recovery codes for security software (MFA) to reduce incident visibility and remove endpoint protection.
“In this incident, the attacker attempted to use the exposed Huntress recovery code to log in to the Huntress portal, close active alerts, initiate an uninstallation of the Huntress EDR agent, effectively blind the organization’s defenses, and remain vulnerable to subsequent attacks.
“This level of access can be weaponized to disable defenses, manipulate detection tools, and perform malicious actions. Organizations must handle recovery codes with the same sensitivity as privileged account passwords.”
Source link
