Crims bust through SonicWall to grab sensitive config data • The Register

SonicWall is telling some customers to reset passwords after attackers broke into its cloud backup service and accessed firewall configuration data.

The network security vendor confirmed the breach in an updated knowledge base article and in a statement to The Register, saying that it recently detected suspicious activity targeting its cloud backup service for firewalls, which it “confirmed as a security incident in the past few days.”

Michael Crean, senior vice president of managed security services at SonicWall, told us that “fewer than 5 percent” of its firewall installed base had preference files accessed, though he declined to give an exact number of customers affected.

“While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall. We are not presently aware of these files being leaked online by threat actors,” Crean said, stressing that the incident was “not ransomware or similar event” but the result of “a series of brute-force attacks aimed at gaining access to the preference files stored in backup.”

As soon as the intrusion was confirmed, SonicWall said it immediately disabled the cloud backup feature, rotated internal keys, and implemented what it describes as “infrastructure and process changes” to prevent a repeat, Crean told The Register. The company also engaged a “leading third-party IR and consulting firm” to validate its findings and help review affected environments.

Customers using the backup service are instructed to log into MySonicWall, verify their registered device serial numbers, and follow the mitigation guidance provided in the KB article. This includes regenerating keys, changing admin passwords, and re-importing secure configurations. SonicWall support teams have been mobilized to walk impacted customers through the process.

SonicWall says its investigation is ongoing and promised “full transparency,” with KB updates landing before any broader public announcements. At the time of writing, the company said it had not seen evidence that the stolen files had been published or weaponized.

The breach piles fresh pressure on firewall vendors after a summer of bad news. Earlier this month, researchers warned that the Akira ransomware crew has been abusing SonicWall gear in post-compromise attacks, exploiting stolen credentials to move laterally across victims’ networks. And just last week, researchers disclosed that at least one SonicWall customer had been storing recovery codes in plaintext, leaving a backdoor open for crooks to regain access even after passwords were changed.

With firewalls increasingly a target for attackers, SonicWall is urging administrators to review their environments and apply the published guidance “as soon as possible.” ®