October 15, 2025
Random News

Securitydive

Data Security

SonicWall Breach hits every cloud backup customer after 5% claim goes up in smoke

admin06 mins

SonicWall recently disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service.

“The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks,” the company reported.

It also noted that it’s working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices.

SonicWall has admitted that all customers who used its cloud backup service to store firewall configuration files were affected by a cybersecurity incident first disclosed in mid-September, walking back earlier assurances that only a small fraction of users were impacted.

Sonicwall in its  investigation had determined that “all customers” who utilized the MySonicWall cloud backup feature were affected, confirming that attackers had accessed configuration backup files stored on its systems. These backups typically include firewall settings, policies, and network configurations, making them a valuable target for anyone seeking to map internal infrastructure or pivot into connected environments.

When SonicWall first disclosed the breach on 17 September, it claimed the incident was limited to “less than 5 percent” of customers. At the time, the company said it had detected “suspicious activity” against the cloud backup environment used by its next-generation firewalls and promptly disabled the service “out of an abundance of caution.”

That initial reassurance now appears premature. SonicWall’s latest post-mortem, which follows an independent investigation and external forensics review, confirms that the attackers successfully accessed data belonging to every customer who had ever used the cloud backup service, regardless of when their backups were created.

The Register has asked SonicWall how many customers use its cloud backup service but has not received a response.

While SonicWall insists the intrusion did not affect other MySonicWall services or customer devices, it’s urging administrators to treat the incident seriously. Customers have been told to delete any existing cloud backups, change their MySonicWall credentials, rotate shared secrets and passwords, and recreate new backup files locally rather than in the cloud.

According to Arctic Wolf, which has been tracking the incident, the backups contain data that could aid follow-on attacks.

“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,”  said Stefan Hostetler, a threat intelligence researcher at Arctic Wolf. “These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates.

In the past, Arctic Wolf has observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use in future attacks.”

SonicWall has not attributed the breach to any specific threat actor or nation-state, and it hasn’t said whether data was copied, leaked, or destroyed. The company continues to maintain that there is “no evidence” of any compromise to production firewalls or other customer-hosted systems.

For SonicWall, this is not its first brush with online attackers. Earlier this year, the company said it was investigating a spate of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs.
While this latest compromise appears more contained, the reversal from “5 percent” to “100 percent” is unlikely to inspire confidence among customers who entrusted their firewall blueprints to the cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News