Full Report
The company confirmed to CyberScoop that an unidentified cybercriminal accessed SonicWall’s customer portal through a series of brute-force attacks. The post Attack on SonicWall’s cloud portal exposes customers’ firewall configurations appeared first on CyberScoop.
Analysis Summary
# Incident Report: SonicWall Cloud Portal Credential Breach
## Executive Summary
SonicWall confirmed a security incident where threat actors accessed its MySonicWall.com cloud portal via brute-force attacks, resulting in the exposure of backup configuration files for less than 5% of its firewall install base. Although the configuration files contained encrypted passwords, they provided attackers with detailed network architecture and firewall policies, creating a severe potential risk for subsequent exploitation of customer devices. SonicWall contained the incident, notified affected parties, and is enhancing system security.
## Incident Details
- Discovery Date: "In the past few days" (prior to September 17, 2025)
- Incident Date: Ongoing attacks validated in the period leading up to discovery.
- Affected Organization: SonicWall
- Sector: Cybersecurity / Security Vendor Infrastructure
- Geography: Global (affecting customers worldwide)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred via a "series of brute-force attacks."
- Vector: Brute-force attacks targeting user accounts on the MySonicWall.com portal.
- Details: Attackers successfully bypassed authentication measures to gain access to customer backup file storage.
### Lateral Movement
- Not explicitly detailed, but the immediate impact was access to stored customer firewall preference files within the cloud portal environment.
### Data Exfiltration/Impact
- Configuration files (backup firewall preference files) for less than 5% of SonicWall's firewall install base were accessed by threat actors.
- Files contained encrypted passwords alongside detailed network architecture, rules, and policies, which could aid future targeted attacks against customer firewalls.
### Detection & Response
- Detection: SonicWall security teams began investigating "suspicious activity" and validated the attack recently.
- Response Actions: Disabled the backup feature for the affected components, bolstered security across infrastructure and processes, engaged an incident response consulting firm, and notified law enforcement and impacted customers.
## Attack Methodology
- Initial Access: Brute-force attack targeting customer accounts on the MySonicWall.com cloud platform.
- Persistence: Not detailed regarding persistence within the portal, but the stored configuration files represent long-term intelligence for the attackers.
- Privilege Escalation: Not detailed, likely achieved through successful brute-forcing of customer management accounts.
- Defense Evasion: Context suggests the brute-force attacks were not immediately blocked or detected by appropriate rate limiting/MFA mechanisms on the portal.
- Credential Access: Acquisition of login credentials via brute force, which then granted access to the configuration files (which contained **encrypted** passwords).
- Discovery: Attackers likely used information within the configuration files (network maps, rules) for reconnaissance on victim environments.
- Lateral Movement: Not detailed within the portal context, but the data gathered facilitates subsequent lateral movement within customer networks where the firewalls are deployed.
- Collection: Harvesting of firewall configuration/preference files stored in the cloud backup service.
- Exfiltration: Implied exfiltration of configuration files; no mention of direct data exfiltration from SonicWall's internal network.
- Impact: Potential downstream exploitation of customer firewalls due to reconnaissance data obtained.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Configuration files belonging to customers representing less than 5% of the firewall install base. Data included network topology, rules, policies, and encrypted passwords.
- Operational: Temporary disabling of the cloud backup feature for customer configurations.
- Reputational: Significant damage to customer trust, as the breach occurred in a vendor-controlled system, highlighting systemic security concerns.
## Indicators of Compromise
- **Network indicators**: None specified (URLs/IPs defanged).
- **File indicators**: Firewall preference/configuration backup files accessed.
- **Behavioral indicators**: Series of brute-force login attempts against MySonicWall.com accounts.
## Response Actions
- **Containment measures**: Disabled access to the compromised backup feature.
- **Eradication steps**: Engaged an incident response and consulting firm to assist with investigation and remediation.
- **Recovery actions**: Initiated infrastructural and process enhancements to bolster system security. Advised impacted customers to reset credentials, contain, remediate, and monitor logs.
## Lessons Learned
- Security vendors must adhere to the same, if not higher, security standards they require of their customers.
- Reliance on cloud-managed portals for storing sensitive configuration data introduces inherent risk that must be continually weighed against convenience.
- Resetting credentials does not fully mitigate long-term risk if detailed network architecture information has already been compromised.
## Recommendations
- Implement strong Multi-Factor Authentication (MFA) enforcement across all customer and administrative portals to mitigate brute-force attacks effectively.
- Review cloud storage security protocols for customer configuration data, ensuring strong encryption and granular access controls.
- Continue to invest heavily in hardening infrastructure environments to prevent repeated compromises, especially given SonicWall's history of vulnerabilities.