Full Report
SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. "The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks," the company said. It also noted that it's working to notify all
Analysis Summary
# Incident Report: SonicWall Cloud Backup File Access
## Executive Summary
Threat actors successfully gained unauthorized access to firewall configuration backup files stored in SonicWall's cloud backup service, impacting all customers utilizing this feature. The files contained sensitive information, including encrypted credentials and configuration data, which increases the risk of targeted attacks against affected firewalls. SonicWall is currently notifying customers and providing remediation guidance centered on credential resets and device reassessment.
## Incident Details
- Discovery Date: Not explicitly stated, but disclosure was made on Wednesday (implied October 9, 2025, based on article date).
- Incident Date: Not explicitly stated when the attacks began, but follow-up actions occurred shortly after previous warnings regarding exposed backup files a couple of weeks prior (late September 2025).
- Affected Organization: SonicWall (impacting all customers using the cloud backup service).
- Sector: Cybersecurity/Network Security Vendor
- Geography: Global (as it affects all cloud backup users)
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly disclosed when the attack began.
- Vector: Brute-force attack against the cloud backup API service (MySonicWall).
- Details: Attackers exploited the API service to gain access to stored cloud backup files.
### Lateral Movement
- Details: No information provided on lateral movement within SonicWall's internal systems; the compromise focused on the cloud storage containing customer backup assets.
### Data Exfiltration/Impact
- Details: Threat actors accessed configuration files containing firewall rules, routing configurations, and encrypted credentials belonging to all users of the cloud backup feature.
### Detection & Response
- Detection: Detection timeline not provided, but follow-up response occurred after a previous incident review indicated exposure.
- Response actions taken: SonicWall is notifying partners and customers, releasing tools for device assessment, and urging users to log into MySonicWall to verify impacts and execute remediation guidelines.
## Attack Methodology
- Initial Access: Brute-force attack against the cloud backup API service.
- Persistence: Not applicable to the vendor infrastructure in this context, but the resulting data provides long-term risk to customer environments.
- Privilege Escalation: Not detailed, but necessary to bypass API access controls.
- Defense Evasion: Attackers sought a direct path to the backup repository.
- Credential Access: Collected encrypted credentials stored within the backup files.
- Discovery: The nature of the compromised files meant configuration data (rules, routing) was automatically gathered.
- Lateral Movement: Not applicable to the vendor's response; focused on data aggregation.
- Collection: Firewall configuration files, encrypted credentials, and routing configurations.
- Exfiltration: Data was accessed and likely exfiltrated from the cloud storage repository.
- Impact: Increased risk of targeted attacks against customer firewalls due to possession of configuration data and encrypted credentials.
## Impact Assessment
- Financial: Not estimated, but potential costs involve remediation and potential breaches for impacted customers.
- Data Breach: Firewall configuration data, encrypted credentials, and routing configurations for all customers using the cloud backup service. The number of impacted customers using the service is unknown.
- Operational: Minimal direct operational disruption to SonicWall, but significant post-incident investigation and remediation burden on customers.
- Reputational: Significant, as this follows a previous exposure incident regarding backup files a few weeks prior.
## Indicators of Compromise
- Network indicators: Brute-force activity targeting the cloud backup API (specific IPs/URLs defanged/not provided).
- File indicators: Firewall configuration backup files containing serial numbers, rules, and encrypted credentials.
- Behavioral indicators: High volume of API calls attempting to access backup files, indicative of a brute-force approach.
## Response Actions
- Containment measures: SonicWall has "hardened" its infrastructure, applied additional logging, and introduced stronger authentication controls. Customers are advised to follow specific remediation guidelines instantly.
- Eradication steps: Customers must initiate credential resets and reassessment of firewalls if their serial numbers are listed as impacted.
- Recovery actions: Customers must review and potentially update firewall rule sets and credentials harvested from the backup files.
## Lessons Learned
- Key takeaways: Cloud backup APIs require robust protection, including strict rate limiting and stronger access controls against brute-force enumeration.
- What could have been done better: Implementing basic protections like rate limiting on public APIs was a critical capability gap that led to the breach. Encryption on credentials, while present, is insufficient if offline cracking is feasible.
## Recommendations
- Prevention measures for similar incidents: Implement strict rate limiting and multi-factor authentication or stronger controls for all public-facing management APIs, especially those handling sensitive configuration data. Organizations should prioritize credential rotation if using weak passwords, as these are now vulnerable to offline cracking based on collected encrypted hashes. Customers should confirm whether their internet-facing devices (High Priority) require immediate credential cycling following vendor advisories.