SonicWall breach hits every cloud backup customer after 5% claim goes up in smoke
- Reference: 1760016607
- News link: https://www.theregister.co.uk/2025/10/09/sonicwall_breach_hits_every_cloud/
- Source link:
In an [1]updated statement published on Wednesday, the California-based network security vendor said its investigation had determined that "all customers" who utilized the MySonicWall cloud backup feature were affected, confirming that attackers had accessed configuration backup files stored on its systems. These backups typically include firewall settings, policies, and network configurations, making them a valuable target for anyone seeking to map internal infrastructure or pivot into connected environments.
When SonicWall first disclosed the breach on [2]17 September , it claimed the incident was limited to "less than 5 percent" of customers. At the time, the company said it had detected "suspicious activity" against the cloud backup environment used by its next-generation firewalls and promptly disabled the service "out of an abundance of caution."
[3]
That initial reassurance now appears premature. SonicWall's latest post-mortem, which follows an independent investigation and external forensics review, confirms that the attackers successfully accessed data belonging to every customer who had ever used the cloud backup service, regardless of when their backups were created.
[4]
[5]
The Register has asked SonicWall how many customers use its cloud backup service but has not received a response.
While SonicWall insists the intrusion did not affect other MySonicWall services or customer devices, it's urging administrators to treat the incident seriously. Customers have been told to delete any existing cloud backups, change their MySonicWall credentials, rotate shared secrets and passwords, and recreate new backup files locally rather than in the cloud.
[6]
The company says it has since "hardened" its infrastructure, applied additional logging, and introduced stronger authentication controls to prevent a repeat. But it has not shared specifics about how attackers gained initial access, beyond describing "unauthorized access to the cloud storage environment" that held encrypted and compressed backup archives.
According to [7]Arctic Wolf , which has been tracking the incident, the backups contain data that could aid follow-on attacks.
"Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," said Stefan Hostetler, a threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates. In the past, Arctic Wolf has observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use in future attacks."
[8]Hunt for RedNovember: Beijing hacked critical orgs in year-long snooping campaign
[9]SonicWall releases rootkit-busting firmware update following wave of attacks
[10]Crims bust through SonicWall to grab sensitive config data
[11]1,200 undergrads hung out to dry after jailbreak attack on laundry machines
SonicWall has not attributed the breach to any specific threat actor or nation-state, and it hasn't said whether data was copied, leaked, or destroyed. The company continues to maintain that there is "no evidence" of any compromise to production firewalls or other customer-hosted systems.
For SonicWall, this is not its first brush with online attackers. Earlier this year, the company said it was investigating a [12]spate of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs. While this latest compromise appears more contained, the reversal from "5 percent" to "100 percent" is unlikely to inspire confidence among customers who entrusted their firewall blueprints to the cloud. ®
Get our [13]Tech Resources
[1] https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
[2] https://www.theregister.com/2025/09/18/sonicwall_breach/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aOfcFs67KEK5gRE0uP12fgAAAJc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOfcFs67KEK5gRE0uP12fgAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aOfcFs67KEK5gRE0uP12fgAAAJc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOfcFs67KEK5gRE0uP12fgAAAJc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://arcticwolf.com/resources/blog/sonicwall-concludes-investigation-incident-affecting-mysonicwall-configuration-backup-files/
[8] https://www.theregister.com/2025/09/27/rednovember_chinese_espionage/
[9] https://www.theregister.com/2025/09/23/sonicwall_rootkitbooting_firmware_update/
[10] https://www.theregister.com/2025/09/18/sonicwall_breach/
[11] https://www.theregister.com/2025/09/12/jailbroken_laundry_machines/
[12] https://www.theregister.com/2025/08/04/sonicwall_investigates_cyber_incidents/
[13] https://whitepapers.theregister.com/
Silly Question
Exactly what my first thought was.
We've now got some devices reported as needing remediation. After the initial report (with the 5% claim) I even contacted Sonicwall support to confirm that our devices weren't affected (no warnings were shown in the portal) and they assured me that no, none of our devices were affected so we didn't need to do anything.
Useless tossers! Giving assurances like that when they clearly hadn't finished investigating is really not a good look for a security company.
You simply weren't sufficiently paranoid. If a service provider where I have an account is hacked, the first thing i'm going to do is change my password, keys, etc, even if I have to change them again later. Only then will I decide whether to continue the relationship.
Mind blown!!!
Why on Earth would you dump your firewall details onto some random (and apparently vulnerable) server???
Some people are just asking for it
Re: Mind blown!!!
It's part of the Sonicwall management portal. If they can't keep this secure then they really are fucking useless!
Backups - everything that you value - in The Cloud. What a great idea.
doesn't really matter where your backups are stored if they are not protected somehow.
strongly encrypted backups in the cloud should be as well protected as in your physical safe place.
if your cloud provider isn't using strong encryption & controls for your precious data then its not protected.
This is why governments mandating back doors in cloud providers is a recipe for disaster for us all.
Just to be the pedant in the room, encrypting your backups will stop or slow reading the data but will not stop your encrypted backups being encrypted for ransomware. Thats not what happened here but just in case someone assumes encryption is the magic charm that fixes all evils.
End PSA
Maybe a silly question but can't they just encrypt by default BEFORE sending security-critical information off to sit on a website somewhere? Have they now implemented such encryption? The files are then useless to anyone but the original owner regardless of whether SonicWall's own security and "encryption" is breached (not a great look for a security company anyway tbh...)