State-Sponsored Hackers Target SonicWall: September Breach Investigation Revealed

SonicWall has confirmed that state-sponsored hackers were behind a security breach that occurred in September, which led to the unauthorized exposure of firewall configuration backup files. According to The Hacker News, the malicious activity was isolated to access of cloud backup files from a specific cloud environment via an API call.

SonicWall stated that this breach affected less than 5% of its customers who utilized the cloud backup service but clarified that the incident did not impact its products, firmware, or other systems. SonicWall engaged Mandiant, a Google-owned cybersecurity firm, to investigate the breach.

The investigation concluded that the breach was linked to nation-state threat actors and had no relation to ongoing attacks from the Akira ransomware group, which targeted SonicWall VPN accounts in late September.

The company emphasized the importance of strengthening defenses against such sophisticated cyber threats. As a precaution, SonicWall advised its customers to reset their MySonicWall account credentials, including passwords for various services like LDAP, RADIUS, and IPSec policies.

They also introduced tools to help customers identify and remediate affected services. Bleeping Computer reports that the breach allowed attackers to potentially extract sensitive information, such as access credentials and tokens, increasing the risk of future exploits against customers' firewalls.

SonicWall has committed to enhancing its security posture following these events, recognizing the growing trend of nation-state-backed cyber threats targeting security infrastructure providers. Customers are urged to take immediate action to secure their accounts and monitor for any suspicious activity, as the company continues to work on improving its security measures in light of these findings.