MySonicWall cloud backup file incident

The NCSC would like to draw your attention to a security incident affecting Sonicwall’s cloud backup service. An unauthorised party accessed firewall configuration backup files for all Sonicwall customers who use the cloud backup service.

The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks. We are working to notify all impacted partners and customers and have released tools to assist with device assessment and remediation.

The vendor is working to notify all impacted partners and customers and has released tools to assist with device assessment and remediation.

What's happening

Systems affected

Updated and comprehensive final lists of impacted devices are now available in the MySonicWall portal
(Navigate to the Product Management > Issue List).

To help prioritise remediation efforts, the lists include a field that identifies each device as either
“Active - High Priority” (devices with internet-facing services enabled);
“Active – Lower Priority" (devices without internet-facing services); or
“Inactive” (devices that have not pinged home for 90 days).

What to look for

How to tell if you're at risk

We urge all SonicWall partners and customers to log in and check for their devices. SonicWall has implemented additional security hardening measures and is working closely with Mandiant to further enhance its cloud infrastructure and monitoring systems.

What to do

Mitigation

The NCSC encourages organisations that use Sonicwall cloud backups to immediately review the vendor advisory External Link and apply remediation as soon as possible.

More information

If you require more information or further support, submit a report on our website.