SonicWall Cloud Backup Service Breach: What You Need to Know
â–Ľ Summary
– SonicWall disclosed a security incident affecting its cloud backup service, with threat actors accessing preference files for about 5% of its firewall install base.
– The compromised files contain encrypted credentials but include serial numbers and other data that could enable future firewall exploitation by attackers.
– The incident resulted from brute force attacks, not ransomware, and there is no evidence yet that the files have been leaked online.
– Impacted customers must check their serial numbers via MySonicWall.com and follow immediate containment and remediation steps, including disabling WAN access and updating passwords and keys.
– This event follows recent attacks targeting SonicWall products, including exploitation of a critical vulnerability in SonicOS management and SSLVPN services.
Cybersecurity firm SonicWall has confirmed a security breach impacting its cloud backup service for firewalls, affecting a portion of its customer base. An internal investigation revealed that unauthorized individuals gained access to firewall preference files stored in the cloud, impacting approximately 5% of SonicWall’s firewall installations. Although login credentials within these files remain encrypted, the exposed data includes sensitive details such as the firewall’s serial number, which could potentially be leveraged in future attacks.
SonicWall clarified that this incident did not involve ransomware or data extortion. Instead, it stemmed from a series of brute force attacks targeting cloud backup files. As of the latest advisory, there is no evidence that the compromised files have been publicly leaked. The company continues to monitor the situation closely.
All SonicWall firewall customers are advised to log into their MySonicWall.com accounts to determine whether cloud backups are enabled for their devices. Those with backups active should verify if their firewall serial numbers are among those compromised. Affected users must follow containment and remediation guidelines immediately to mitigate risks. Customers not currently impacted should regularly check SonicWall’s incident page for updates.
Due to the sensitive nature of the exposed configuration files, prompt action is critical. Impacted organizations should begin by disabling or restricting WAN access to vulnerable services before proceeding with remediation. SonicWall has provided a structured checklist to assist users in systematically updating all relevant passwords, encryption keys, and shared secrets. It is essential to synchronize these changes across all integrated systems, including ISPs, VPN peers, and authentication servers, to prevent service disruptions.
Additionally, users should review firewall logs for unusual activity or unauthorized configuration changes. Impacted customers will receive a new preferences file to import, which will reset local user passwords, randomize IPSec VPN keys, and reconfigure time-based one-time password (TOTP) bindings if applicable.
This incident is the latest in a series of security challenges faced by SonicWall. Recent advisories have highlighted active exploitation of critical vulnerabilities in SonicOS management and SSL-VPN services, with researchers noting pre-ransomware activity targeting these systems. Organizations are urged to remain vigilant and apply all recommended patches and security measures.
(Source: InfoSecurity)
