Full Report
SonicWall has disclosed a security incident affecting its MySonicWall cloud backup service. Threat actors conducted brute force attacks on the MySonicWall.com portal and gained unauthorized access to a subset of firewall preference files. While fewer than 5% of firewall instal...
Analysis Summary
# Incident Report: SonicWall MySonicWall Cloud Backup Access Incident
## Executive Summary
Threat actors successfully executed brute force attacks against the MySonicWall.com portal, leading to unauthorized access to a subset of customer firewall preference files stored in the cloud backup service. While sensitive credentials were encrypted, configuration details within the files were only encoded, potentially exposing actionable intelligence to the attackers. SonicWall contained the issue and confirmed that fewer than 5% of installations were affected, with no public leak of the data observed to date.
## Incident Details
- Discovery Date: Unknown (Disclosed September 25, 2025)
- Incident Date: Attack occurred prior to disclosure date of September 25, 2025
- Affected Organization: SonicWall (MySonicWall cloud backup service)
- Sector: Technology/Security Hardware & Software
- Geography: Global (MySonicWall portal service)
## Timeline of Events
### Initial Access
- Date/Time: Attack window prior to Sept 25, 2025
- Vector: Password attack via the MySonicWall.com portal.
- Details: Threat actors conducted brute force attacks against user credentials for the MySonicWall portal.
### Lateral Movement
- Details: Attackers gained unauthorized access to a subset of user accounts and subsequently accessed firewall preference files within the MySonicWall cloud backup service.
### Data Exfiltration/Impact
- Details: Access was gained to configuration details within firewall preference files. Sensitive credentials within these files remained strongly encrypted, but configuration details were only *encoded*, posing a risk of intelligence gathering for targeted attacks against associated on-premise firewalls.
### Detection & Response
- Details: SonicWall disclosed the incident on September 25, 2025, following their own internal detection or notification. Containment measures were implemented to secure the affected subset of files/accounts.
## Attack Methodology
- Initial Access: Password Bruteforcing against the MySonicWall.com portal.
- Persistence: Not explicitly detailed, but implied by the successful access to configuration files.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed.
- Credential Access: Acquisition of valid portal credentials via brute force methods.
- Discovery: Reviewing retrieved firewall configuration files within the cloud backup.
- Lateral Movement: Movement from initial portal access to the specific backend storage hosting backup files.
- Collection: Gathering configuration details from firewall preference files (which were only encoded, not encrypted).
- Exfiltration: Not explicitly confirmed if data was exfiltrated, but access was gained to configuration data.
- Impact: Potential exposure of actionable configuration intelligence for subsequent exploitation of associated firewall devices.
## Impact Assessment
- Financial: Estimated costs not available from the text.
- Data Breach: Configuration details from firewall preference files. Less than 5% of firewall installations impacted.
- Operational: No mention of disruption to SonicWall’s core services or customer firewalls directly, but risk was introduced to devices configured using those backups.
- Reputational: Negative disclosure affecting customer trust in the cloud backup service.
## Indicators of Compromise
- *No specific network or file IOCs were provided in the source text.*
- Behavioral indicators: Numerous failed login attempts followed by successful login patterns indicative of credential stuffing or brute force success on the authentication endpoint (MySonicWall.com).
## Response Actions
- Containment measures: Limiting access to the subset of compromised files or resetting credentials associated with the breach vector.
- Eradication steps: Implied steps to secure the compromised cloud storage area.
- Recovery actions: Not explicitly detailed, but likely involved notifying affected customers.
## Lessons Learned
- Weak authentication factors (reliance on simple passwords susceptible to brute force) remain a primary vulnerability vector for cloud portals.
- Storing sensitive configuration data only *encoded* rather than strongly encrypted presents a significant intelligence risk, even if primary credentials are encrypted.
## Recommendations
- Mandate Multi-Factor Authentication (MFA) for all access to the MySonicWall portal immediately, regardless of account tier.
- Review and enhance application-level rate limiting and brute force protection mechanisms on customer-facing portals.
- Reclassify configuration data storage within cloud backups: ensure configuration details are encrypted at rest with strong algorithms, not merely encoded, to mitigate intelligence leakage upon unauthorized file access.