SonicWall has issued a strong advisory urging its customers to reset their credentials after detecting a security incident involving its cloud backup service. The breach exposed firewall configuration backup files linked to MySonicWall accounts, though the company emphasized that less than 5 percent of customers were impacted.
Suspicious Activity Detected in Cloud Backups
According to SonicWall, unknown attackers managed to access firewall preference files stored in the cloud. Although login credentials inside these files were encrypted, the files also contained sensitive information that could help threat actors in exploiting associated firewalls.
The company clarified that it has no evidence of the files being leaked online and confirmed that this was not a ransomware event. Instead, the breach resulted from brute-force attacks targeting backup storage for possible future misuse by threat actors.
Steps Recommended for Customers
To reduce potential risks, SonicWall has urged customers to take the following actions immediately:
- Log in to MySonicWall.com and check if cloud backups are enabled.
- Verify serial numbers to see if any have been flagged.
- Apply containment and remediation, which includes:
- Limiting access to services from WAN.
- Disabling HTTP/HTTPS/SSH Management access.
- Turning off SSL VPN and IPSec VPN access.
- Resetting passwords and Time-based One-Time Passwords (TOTPs) stored on the firewall.
- Reviewing logs and recent configuration changes for suspicious activity.
Additionally, SonicWall recommends importing updated firewall preference files. These updated files include:
- Randomized passwords for all local users.
- Reset of TOTP bindings, if enabled.
- Randomized IPSec VPN keys.
SonicWall noted that these files were generated from the latest backups in cloud storage. Customers are warned not to apply them if the files do not match their desired firewall settings.
Ongoing Threats Targeting SonicWall Devices
This disclosure comes amid continued cyberattacks targeting SonicWall vulnerabilities. Recently, ransomware operators affiliated with the Akira group exploited a year-old SonicWall flaw (CVE-2024-40766, CVSS 9.3) to gain unauthorized access to corporate networks.
Cybersecurity firm Huntress also reported an incident in which Akira actors exploited exposed SonicWall VPNs. The attackers leveraged plaintext recovery codes from Huntress security software to bypass Multi-Factor Authentication (MFA), hide malicious activity, and disable endpoint protections.
According to Huntress researchers Michael Elford and Chad Hudson, recovery codes must be treated with the same sensitivity as privileged account passwords. Failure to do so could allow adversaries to manipulate defenses, disable monitoring tools, and launch further destructive attacks.
