SonicWall has confirmed a security breach affecting firewall configuration backups for all customers using the MySonicWall Cloud Backup service. Review the details within this Cybersecurity Threat Advisory to learn more and see how to protect your data.
What is the threat?
The incident impacts all customers who use the MySonicWall Cloud Backup service. Stolen firewall configuration files contain sensitive information such as network topology, access rules, and authentication settings that adversaries could weaponize for targeted intrusions if credentials remain unchanged.
Why is it noteworthy?
This breach is noteworthy because it impacts the entire MySonicWall Cloud Backup user base. The theft of configuration backups represents a rare and large-scale compromise. It provides attackers with detailed insight into customer environments and significantly increases the risk of widespread exploitation.
What is the exposure or risk?
The exposure includes sensitive configuration data that could allow attackers to gain unauthorized access, bypass security controls, and compromise VPNs or other protected systems. SonicWall has mandated an Essential Credential Reset to mitigate this risk. Additionally, it advises administrators to rotate all secrets referenced in backups, such as passwords, VPN keys, certificates, and API tokens.
What are the recommendations?
Barracuda recommends the following to secure the MySonicWall Cloud Backup:
- Complete SonicWall’s Essential Credential Reset and immediately rotate all secrets referenced in backups (admin passwords, VPN PSKs/certificates, directory/RADIUS shared secrets, API tokens) across affected devices.
- Restrict management exposure by disabling WAN management where feasible, limiting admin access to trusted networks, and enforcing MFA on all MySonicWall accounts.
- Increase monitoring and alerting for anomalous configuration changes, creation of new admin accounts, VPN authentication spikes, and any attempted use of legacy credentials after the confirmed breach.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/
- https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.