SonicWall has confirmed that all customers that used the company's cloud backup service are affected by the security breach last month.
Previously, the vendor stated that the incident "exposed firewall configuration backup files stored in certain MySonicWall accounts," without sharing additional details.
MySonicWall is an online customer portal used for managing product access, licensing, registration, firmware updates, support cases, and cloud backups of firewall configurations (.EXP files).
On September 17, the company warned customers to reset their MySonicWall account credentials to protect their firewall configuration backup files that could be potentially accessed by unauthorized actors who had breached its systems.
To help administrators navigate the risk stemming from the breach, the company provided the essential steps of the reset procedure, which should cover all credentials, API keys, and users' authentication tokens, VPN accounts, and services.
The company provides a checklist "to ensure all relevant passwords, keys, and secrets are updated consistently." Critical actions refer to the following preocedures:
resetting and updating passwords of all local users
reseting temporary access codes (TOTP) for local users
updating passwords on LDAP, RADIUS, or TACACS+ servers
updating the shared secret in all IPSec site-to-site and GroupVPN policies
updating the passwords used for any L2TP/PPPoE/PPTP WAN interfaces
resetting the Cloud Secure edge (CSE) API key
The list also includes less critical action, which refers to updating AWS keys for logging and VPN integration, resetting SNMPv3 user credentials and updating passwords for WWAN connections.
"Access to the exposed firewall configuration files contain information that could make exploitation of firewalls significantly easier for threat actors," warned SonicWall at the time, also publishing detailed remediation guidance.
At the time, SonicWall specified that roughly 5% of its firewall customers use its cloud backup service.
In an update published yesterday the vendor said that the incident impacts all customers who used its cloud backup portal to store firewall configuration files.
"SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident," reads the updated bulletin.
"The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall's cloud backup service."
The exposed files contain AES-256-encrypted credentials and configuration data.
Users can now check if their devices are among the impacted ones by logging into MySonicWall and going to 'Product Management → Issue List.'
Source: SonicWall
If any action items are pending review there, users should follow the Essential Credential Reset steps, prioritizing active, internet-facing firewalls.
Although SonicWall has stated that the investigation is now complete, it would be prudent for system administrators to continue monitoring MySonicWall alerts periodically for updated lists of affected devices.
Update [10:28]: Article updated with a list of critical remediation steps from SonicWall