SonicWall cloud backup breach: All configuration files accessed, remediation urged

Following our initial coverage of SonicWall’s breach in September, new findings released October 8 and 9 confirm that configuration backup files were accessed for all customers who used the MySonicWall cloud backup service.

On October 9, SonicWall updated its advisory to reflect the expanded scope of the incident. This update comes after a forensic investigation and significantly broadens the impact beyond the original estimate of fewer than 5% of affected devices. 

The investigation determined that threat actors exploited the cloud backup application programming interface using brute-force methods. They downloaded encrypted preference files containing system settings, network topology, routing rules, firewall policies, virtual private network configurations, and user credentials.

While credentials were encrypted, using Advanced Encryption Standard 256-bit for Gen7 and Triple Data Encryption Standard for Gen6, other configuration elements were readable.

SonicWall has updated the MySonicWall portal to help customers identify affected devices. Remediation is recommended for all devices with cloud backups, especially those exposed to the internet.

Although SonicWall has not confirmed whether built-in administrator accounts are stored in configuration files, all credentials that were active at the time of backup should be rotated, even for devices not currently flagged.  

The presence of readable configuration data increases the risk of targeted exploitation. Configuration files may reveal management interface settings, usernames of local users, and tunnel configurations, which could be used for reconnaissance or combined with other vulnerabilities.

SonicWall has released a Firewall Configuration Analysis Tool to identify services requiring remediation. A cleaned preference file with randomized credentials is available for import during maintenance windows.

Analyst insight

Based on SonicWall’s official advisories, third-party reporting, and community feedback, the following actions are recommended to contain and remediate the breach for all devices that used MySonicWall cloud backup services.

1. Identify affected devices

• Log in to your MySonicWall account.
• Navigate to Product Management > Issue List to view flagged serial numbers.
• Confirm if cloud backups were enabled for each device. Those without backups aren't impacted.

2. Prioritize exposure

• Review device status labels: “Active – High Priority,” “Active – Lower Priority,” or “Inactive.”
• Focus initial remediation efforts on internet-facing devices and those with active cloud backups.

3. Rotate credentials

• Reset all credentials active at the time of backup, including:
  • Secure Sockets Layer Virtual Private Network (SSLVPN) user credentials
  • Pre-shared keys
  • Authentication server secrets
  • Local administrator passwords
  • Use SonicWall’s cleaned preference files with randomized credentials where available

4. Restrict remote access

• Disable or limit access to management interfaces and remote services from the wide area network:
  • Secure Sockets Layer Virtual Private Network
  • Internet Protocol Security Virtual Private Network
  • Simple Network Management Protocol 

5. Restrict SSLVPN service access

• Implement an Access Control List (ACL) to restrict external IP addresses or geographic locations from which the VPN service can be accessed.
• Enforce the user of Multi-Factor Authentication (MFA) for all account that are accessible via an external service 

6. Use SonicWall’s remediation tools

• Run the Firewall Configuration Analysis Tool to identify services requiring remediation based on each device’s configuration.
• Import updated preference files during scheduled maintenance windows. This process will reboot the firewall. 

7. Monitor for post-compromise activity

• Review system logs and configuration changes regularly.
• Watch for unauthorized access attempts, unexpected rule changes, or credential misuse. 

8. Document and review

• Record all remediation actions taken per device.
• Reassess backup and credential storage policies to reduce future exposure.