SonicWall, a major VPN, firewall, and other network security solutions provider, has formally blamed state-sponsored threat actors for the September security breach, when all firewall cloud backups belonging to customers were illegally accessed.
“The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” the company said.
“The incident is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices,” SonicWall added.
It’s so far unclear which state “sponsored” the threat actor.
Nearly a month ago, SonicWall said that an unknown party had accessed firewall configuration backup files for all customers who have used the cloud backup service.
This was already an update on the firm’s earlier statement that the threat actors had accessed the cloud backup files – containing encrypted credentials and configuration data – of fewer than 5% of its customers.
In its latest update, SonicWall said it engaged Google-owned Mandiant to investigate the breach. The investigation is now complete, the firm said and stressed that the incident didn’t impact SonicWall products or firmware.
“No other SonicWall systems or tools, source code, or customer networks were disrupted or compromised. SonicWall has taken all current remediation actions recommended by Mandiant,” the company stated.
SonicWall customers are advised to log in to MySonicWall.com (that’s the system the malicious actor attacked by performing a series of brute-force techniques), check for their devices, and reset the credentials for impacted services.
The company has also released an Online Analysis Tool and Credentials Reset Tool to identify services that require remediation and perform credential-related security tasks, respectively.
SonicWall has been dealing with a few critical security vulnerabilities this year, some of which are actively exploited by attackers.
SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) were found in January to contain a deserialization of untrusted data vulnerability, enabling unauthenticated remote attackers to execute arbitrary remote commands.
In August, Shadowserver Foundation alerted about over 3,200 SonicWall unpatched SMA100 devices exposed to another stack-based buffer overflow vulnerability.
Finally, the Akira gang targeted MFA-protected SonicWall VPN accounts in late September.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked