Crims bust through SonicWall to grab sensitive config data
- Reference: 1758212110
- News link: https://www.theregister.co.uk/2025/09/18/sonicwall_breach/
- Source link:
The network security vendor confirmed the breach in [1]an updated knowledge base article and in a statement to The Register , saying that it recently detected suspicious activity targeting its cloud backup service for firewalls, which it "confirmed as a security incident in the past few days."
Michael Crean, senior vice president of managed security services at SonicWall, told us that "fewer than 5 percent" of its firewall installed base had preference files accessed, though he declined to give an exact number of customers affected.
[2]
"While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall. We are not presently aware of these files being leaked online by threat actors," Crean said, stressing that the incident was "not ransomware or similar event" but the result of "a series of brute-force attacks aimed at gaining access to the preference files stored in backup."
[3]
[4]
As soon as the intrusion was confirmed, SonicWall said it immediately disabled the cloud backup feature, rotated internal keys, and implemented what it describes as "infrastructure and process changes" to prevent a repeat, Crean told The Register . The company also engaged a "leading third-party IR and consulting firm" to validate its findings and help review affected environments.
Customers using the backup service are instructed to log into MySonicWall, verify their registered device serial numbers, and follow the mitigation guidance provided in the KB article. This includes regenerating keys, changing admin passwords, and re-importing secure configurations. SonicWall support teams have been mobilized to walk impacted customers through the process.
[5]Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks
[6]Crims hijacking fully patched SonicWall VPNs to deploy stealthy backdoor and rootkit
[7]Careless engineer stored recovery codes in plaintext, got whole org pwned
[8]Beware of fake SonicWall VPN app that steals users' credentials
SonicWall says its investigation is ongoing and promised "full transparency," with KB updates landing before any broader public announcements. At the time of writing, the company said it had not seen evidence that the stolen files had been published or weaponized.
The breach piles fresh pressure on firewall vendors after a summer of bad news. Earlier this month, researchers warned that the [9]Akira ransomware crew has been abusing SonicWall gear in post-compromise attacks , exploiting stolen credentials to move laterally across victims' networks. And just last week, researchers disclosed that [10]at least one SonicWall customer had been storing recovery codes in plaintext , leaving a backdoor open for crooks to regain access even after passwords were changed.
[11]
With firewalls increasingly a target for attackers, SonicWall is urging administrators to review their environments and apply the published guidance "as soon as possible." ®
Get our [12]Tech Resources
[1] https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMyA9yIQmWkIu3vbRRjohgAAAQw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMyA9yIQmWkIu3vbRRjohgAAAQw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMyA9yIQmWkIu3vbRRjohgAAAQw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/09/10/akira_ransomware_abusing_sonicwall/
[6] https://www.theregister.com/2025/07/16/sonicwall_vpn_hijack/
[7] https://www.theregister.com/2025/09/15/ransomware_recovery_codes_plaintext/
[8] https://www.theregister.com/2025/06/24/unknown_crims_using_hacked_sonicwall/
[9] https://www.theregister.com/2025/09/10/akira_ransomware_abusing_sonicwall/
[10] https://www.theregister.com/2025/09/15/ransomware_recovery_codes_plaintext/?td=keepreading
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMyA9yIQmWkIu3vbRRjohgAAAQw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Here we go again
A company supposedly or actually in the business of selling computer security products can't keep itself secure.
>> We are not presently aware of these files being leaked online by threat actors
Er yeah. Cos maybe the crims are going through it to see how useful it is.
Maybe too paranoid
But I'd never trust a cloud managed network connected device(exception would be if that device is in the cloud as well). I do/have run Sonicwalls since 2012 for site to site VPNs and layer 4 firewalls they work fine for that. Never enabled cloud backup(wrote my own script to back them up), never enabled SSL VPN(SSL VPN on Sonicwall firewalls was always crap IMO, though if your needs were SUPER basic I suppose it could work fine from a functionality standpoint - of course Sonicwall has a dedicated SSL VPN product line if you want more features, I evaluated that once for about 30mins many years ago but immediately ruled it out as at least at the time it could not fully integrate with Duo Security with inline enrollment etc.
Duo has since gone to hell with their SAML requirements so it may very well work fine now(with SAML) - I personally spent more than 40 hours over the span of several weeks getting SAML with Duo working early this year(without ever using email address as a form of identification something they thought was impossible), and in one case had a support case open for 50 days for one of my SSL VPN products to get integration right as Duo's docs were fairly useless). But it's been flawless since, and my Lemonldap-ng SAML system is integrated with Ubuntu 24 and is pretty simple system so I don't expect much pain for the next few years as long as I'm on Ubuntu 24 the version shouldn't change much.
"fewer than 5 percent"
So is that just the percentage of people stupid enough to allow their firewalls to be backed up in the cloud?
Would there be anybody here that wouldn't instantly turn that off?
So they encrypted the login/password
But kept all the other configuration information plain text? Why would you ever trust a company that stupid with securing your network? That's "have a default password in firmware so our techs can get access if a customer needs support" levels of stupid.
First Little Pig: My business, Straw, Inc. is moving all its data to the cloud.
Second Little Pig: The organization I am working for, Sticks Data, has a cloud first strategy.
Third Little Pig: Come by Bricks and Mortar Private Cloud, Inc. when you want to repatriate.