SonicWall environment left open, exposing some data – customers safe

Cybersecurity company SonicWall leaked 22GB of logs from a “prototype environment.” The incident is limited in scale as no customers are affected, however, some employees should be aware.

On April 29th, the Cybernews research team discovered a publicly exposed instance of Elasticsearch, a commonly used big data search, analysis, and visualization tool, belonging to SonicWall.

SonicWall is a popular cybersecurity appliance manufacturer specializing in content control and network security. The company assists companies in achieving compliance with HIPPA (Health Insurance Portability and Accountability Act) and Payment Card Industry Data Security Standard. It sells VPN and Firewall devices and provides endpoint detection and response, email, and cloud security services.

“The exposed Elasticsearch instance contained activity logs of their security products, though contrary to the naming of the Elasticsearch cluster and its indices, it appeared that these logs were for development and quality assurance environments, and the research team was unable to find any identifiable customer information,” a report by the Cybernews research team reads.

Outside attackers or other snoopers could check telemetry information, scan results, user role changes, and other general log entries. Unfortunately, some employee names and emails were also included in the leak.

SonicWall promptly responded and resolved the issue. The company confirmed to researchers that the found data was from a “prototype environment” and assured that it had not identified any impact on their products, services, or sensitive customer data.


A good reminder to tighten access controls

The information that was leaked was not as sensitive as it could have been if logs from more important environments, such as production, had been leaked.

However, the exposed data still contained potentially sensitive operational and architectural information that may tempt motivated malicious actors.

“While customer information did not appear to be affected, the security oversight still raises some concerns. It may signal a lack of discoverability and monitoring of internal systems,” researchers said.

Malicious actors with leaked information could identify security and operational vulnerabilities if present, as well as know when administrators are online to perform certain actions, what tasks and how regularly they perform them, and other behaviors and schedules.

This is another reminder of how important it is for companies to ensure carefully maintained access controls and IP whitelisting.

Broken access controls are among the most dangerous cybersecurity risks, leading to many breaches that could have been avoided. One of the most recent examples is the 165 Snowflake customers who did not have adequate protections in place and were breached when hackers managed to steal their credentials.

Cybernews contacted SonicWall for any additional comments and will update the article with a response.