Following a breach that revealed cloud backup files including encrypted firewall configuration information, SonicWall has advised users to reset their login credentials. Although no data was posted online, the breach was caused by brute-force assaults that targeted encrypted configuration files. It is recommended that impacted customers change their passwords, confirm their cloud backup configurations, and take containment steps including turning off WAN-facing management services. To improve security, SonicWall also suggests importing new configuration files. To find further irregularities, the business also prioritizes thorough log analysis and ongoing surveillance. This breach coincides with persistent threats against unpatched SonicWall devices from organizations such as Akira.
Technical Description
Recently, SonicWall found a flaw in its MySonicWall platform that allowed cybercriminals to access encrypted firewall configuration backup files by taking advantage of inadequate security precautions. Unauthorized access to client networks may be made easier by these files, which contain important network settings and credentials.
Discovery & Scope:
After brute-force attacks on the firewall configuration backup files, SonicWall found that its MySonicWall cloud platform was being accessed without authorization. Less than 5% of SonicWall’s clientele had access to these files, which included private network login information, encryption keys, and VPN setups. Suspicious activity targeting cloud backups led to the discovery of the breach, which prompted quick action to prevent the attack.
Attribution & Operator Profile:
- Although the attackers’ identities is still unknown, the breach seems to have been caused by a collective brute-force effort that targeted the MySonicWall platform’s inadequate security features.
- The attackers tried to crack passwords and obtain unauthorized access by using dictionary-based brute-force techniques and credential stuffing to take advantage of flaws in the cloud backup service.
- The attack implies that the threat actors were well-versed in the target system, particularly in the importance of gaining access to private firewall configuration files in order to enable more extensive network intrusion.
Initial Access & Reconnaissance:
Brute-force attacks against the cloud backup API service allowed attackers to obtain the exposed firewall configuration files. The saved configuration files that held important data about network access, firewall settings, VPN login credentials, and encryption keys were the target of these attacks. The files can make it relatively easier for attackers to get around firewalls and access network infrastructure without authorization.
Exploitation & Toolset:
- The attackers used tools that could swiftly test a huge number of credential combinations against the public API in order to launch brute-force attacks on MySonicWall’s cloud backup service.
- The CVE-2024-40766 vulnerability in SonicWall’s SSLVPN service has been linked to similar attacks in the past, so it’s likely the same or related vulnerabilities were used to target affected devices even though no specific CVE (Common Vulnerability and Exposure) was found to have been directly exploited during the breach.
- Attackers most likely overcame encryption and obtained sensitive files, such as VPN login passwords and shared secrets kept in backup files, by using password-cracking programs (such as Hashcat and John the Ripper).
- The tools and methods utilized in this assault are similar to those frequently used by threat groups that test different authentication protocols using brute-force and credential-stuffing attacks, like Hydra or Sentry MBA.
- Sensitive data like pre-shared keys, encrypted passwords, and TLS certificates were included in the accessible backup files. If these were decrypted, attackers might be able to take advantage of weak firewalls or other network infrastructure
Collection & Exfiltration:
No exfiltration of the data is reported as of now, and there are no signs that the files were leaked publicly. However, the exposed configuration files were potentially usable by attackers to exploit the vulnerabilities in the firewalls. The breached files were only accessible to those who managed to bypass brute-force defenses on the backup API service.
Conclusion:
In response, SonicWall disabled the impacted backup service, advised users to update their shared secrets, API keys, and passwords, and conducted a comprehensive device assessment. It was also advised that users update their login information for other services (such as VPN peers and ISPs). This event emphasizes how dangerous cloud-based network settings might be, as well as how crucial it is to have strong passwords and secure backup services. The hack also serves as a reminder of the continuous threat environment, especially with regard to credential-stuffing and brute-force attacks that target weak services.
Impact
Because compromised firewall configuration files include confidential data like VPN login credentials, encryption keys, and authentication tokens, the intrusion has a substantial impact. This makes it easier for attackers to take advantage of weak firewalls and access company networks without authorization. The files offer a clear road map for attackers to get past security measures and breach internal networks, even though no data has been made public. Up to 5% of SonicWall’s clients are impacted by the incident, which could jeopardize thousands of businesses. To reduce the chance of additional exploitation, passwords, keys, and credentials must be reset immediately on all impacted systems.
IOC and Context Details
| Topics |
Details |
| Tactic Name |
Credential Access, Initial Access, Execution |
| Technique Name |
Credential Access: Credentials from Password Stores
Initial Access: Exploit Public-Facing Application
Execution: Command and Scripting Interpreter
|
| Sub Technique Name |
Credential Access – Credentials from Web Browsers
Initial Access – Exploitation of a Vulnerability
|
| Attack Type |
Brute Force Attack, Exploitation |
| Targeted Applications |
SonicWall Firewalls, MySonicWall Portal |
| Region Impacted |
Global |
| Industry Impacted |
IT, Telecom, Government, Finance |
| IOC’s |
SHA-1:
d3ba517e1db1e8d1503129035412385782e015be
55315d788e3e87a2a253f11a8a2a0fa395f2e393
d7f19f76f6cb07c9dff42e01c888cbf101ecad26
abe7d9e48c264648ae1d2a1cfbfb5761bcbf1ed5
5562d774ec3da705b53911c55c6cbec417f7036c
f1f27f45cb951ce6f5c65b2d4914b273e5e736b0
9cf9d1db9bb51bc62754ef7398eb4de6d846e204
ee9864c7e132dff60f3060a8c5c712d79f3b3c1f
f6f8c07b4a56f60b6b243c3811f23b16890f35ad
SHA-256:
43793174593b5c5a2c31c0126c7eca8135b51a2d4c80cfeb50e916c084c3b067
9331fbe8b5d0cbc8791a2bd63ed90b0ddcf1c65703ba94ef753f6adeb801cb67
c9741b710690be8a3dc00af98eadebddf54d3d5339e38e74a23eddf6d27de1c3
74937d9171fab806482bccf256130d1a66faf8db79c22e676233984004ceb9ff
64a29861be9e448b417e39a537dd66585a5a8b5a53b123b6b012529f8445ca1a
e4609a887d3d69f370dbabe78478320b14044a30310520526260656d51958dd3
76a734fd1a95a72cde6edc9c95bfa4148a00a970592e65ba4a12cc12e952400d
2bdcd6c79b7c75230d26909eb0471483c0b6c41d504c8acdd0297739280792d9
f9725662810a10dff236da9741eaf529b63fdc0a607151b786849d6d8150bab4
MD5:
27200b5ed74f79fa0502bb4f94f4f225
a3701a20791c0da1a9c5f75a1e1f5b51
d4148a8a9c064f4b6b278b7ad62b26c0
3d2a8b1f5385e6fd84568fd7ab849b8d
7e1bc7fddc206057a4fcbbfe2b560503
5ef7a57f8206bcd34d4adfa47f10112f
b0147e79f8cc547d7e7a98b9a9b306a0
4a3b85838a7a2681e3c5a9cdb7000b5b
96efac8819edcb717c1c29cb6b10c84a
Domains:
mysonicwall[.]com
sonicwall[.]com
|
| CVE |
CVE-2024-40766 (SonicWall VPN vulnerability)
CVE-2024-40765 (SonicWall SSLVPN vulnerability)
CVE-2021-20016 (SonicWall Firewall vulnerability)
|
Recommended Actions
- Reset all passwords on all impacted devices and external services right away, including shared secrets, encryption keys, and API keys.
- Until the remediation is finished, turn off or limit access to the IPsec VPN, SSLVPN, and Web/SSH Management over WAN services.
- Make sure that the new keys and passwords are randomized when you import new configuration files from SonicWall.
- Examine all MySonicWall accounts thoroughly, make sure cloud backups are enabled, and look for any affected serial numbers.
- Examine and switch up the credentials that external services like LDAP/RADIUS servers, ISPs, and dynamic DNS providers employ.
- Keep a watch out for odd activity, including repeated unsuccessful login attempts or unauthorized changes, in network logs and configurations.
- For any administrative access, use multi-factor authentication (MFA), utilizing biometrics or physical security keys as needed.
References
https://tech-wire.in/technology/cyber-security/sonicwall-urges-password-resets-after-cloud-backup-breach-affecting-under-5-of-customers/
