Question: Is this a zero day with SonicWall? Is this related to the Huntress blog about Sonicwall?
The current SonicWall guidance does not link these two events
Question: We had a SonicWall-based intrusion/ransomware event recently. Are these linked?
The current SonicWall guidance does not link these two events
Question: Can Huntress tell if my SonicWall device was compromised?
Huntress are experts in detecting malicious activity after it enters your network. Unfortunately the Huntress products do not have insight into the Sonicwall cloud backup solution and configuration, as the Huntress platform does not ingest any of this information.
- While we cannot see the initial misuse of the config file itself, we are perfectly positioned to detect the next steps of an attack that gains further ingress in your network.
According to SonicWall documentation, log into MySonicWall.com to check for an alert banner on your serial number that will highlight if your device has affected.
Where an intrusion does originate from your Sonicwall device, we advise the following [the below]....
Question: What does Huntress advise I do? How do I remediate / patch from this SonicWall
From a Huntress platform perspective:
- We advise that all devices in the network are instrumented with the Huntress agent.
- We moreover advise that the Huntress SIEM is also leveraged
- Specifically ingesting your Sonicwall devices' logs
- Particularly the Sonicwall SSLVPN logs, which we often identify adversaries through.
- Specifically ingesting your Sonicwall devices' logs
Beyond the Huntress platform, please have a look at SonicWall's Essential Credential Reset documentation, which includes:
- Immediately restrict WAN management and remote access where possible. Disable or limit HTTP, HTTPS, SSH, SSL VPN and inbound management until credentials are reset.
- Reset all secrets and keys on affected devices now. This includes local admin accounts, VPN pre-shared keys, LDAP/RADIUS/TACACS+ bind credentials, wireless PSKs, and SNMP credentials.
- Revoke and roll any external API keys, dynamic DNS, SMTP/FTP credentials, and any automation secrets that touch the firewall or management systems.
- Increase logging and review recent logins and configuration changes for suspicious activity. Keep forensic logs retained while you investigate.
- Huntress Managed SIEM can help with this because it can provide our threat hunters with visibility into SonicWall data.
- After resets, reintroduce services one at a time, and monitor for reappearance of unauthorised access.
- Enforce MFA for all admin and remote accounts and apply least privilege to management roles.
SonicWall's official remediation guidance includes:
- Immediately determine if your device was affected and to remediate it.
- Their process involves:
- Logging into MySonicWall.com to check for an alert banner on your serial number.
- Importing a new preferences file provided by SonicWall, which will reset passwords and VPN keys, or manually following their detailed playbook to rotate every potentially exposed credential.
- Their process involves:
You must follow their guidance directly, as this is a device-management task outside of Huntress's scope.
Question: I have a very specific question about SonicWall, the intrusion, and how I am affected?
We strongly advise that questions like these are redirected to Sonicwall and their support. Unfortunately Huntress Support does not have insight into Sonicwall devices and configurations.
SonicWall's main advisory and links to their remediation guides can be found on their Knowledge Base. We advise you to check there for the most up-to-date information:
Question: We've never used the cloud backup feature. Are we still at risk?
Based on SonicWall's statements, the incident was specific to configuration files stored in their cloud backup service. If you have never enabled or used the "Cloud Backup" feature for your device, your configuration file should not have been in the cloud storage and thus is not considered at risk from this specific exposure.
Question: We are worried and want to migrate from SonicWall. What does Huntress advise as a better alternative?
As your security partner, Huntress’ primary focus is on your overall security posture rather than specific vendor recommendations. We advise a methodical, risk-based approach that considers business needs, network architecture, and future administration of said solution, before rushing away from any current solutions employed.
However, Sonicwall devices can be additionally secured, with the following Question: What does Huntress advise I do? How do I remediate / patch from this SonicWall]