SonicWall Discloses Another Breach

On September 17th, SonicWall published information about a security incident involving their firewall’s cloud backup files. According to the company, a threat actor accessed customers’ MySonicWall backup preference files through a series of brute force attacks. While the incident allegedly impacted less than 5% of SonicWall’s install base and the credentials in the files were encrypted, the compromised backups could expose sensitive information that threat actors could exploit further.

In the advisory, SonicWall stated that the compromised backup files had not yet been publicly exposed by the threat actors. SonicWall also published guidance to help users mitigate the risk of further exploitation, including verifying the existence of cloud backups and following the containment guidance published for any impacted serial numbers found in the users’ accounts.

 

Analyst Comments

This announcement comes amid a surge in ransomware incidents in which threat actors—most notably Akira—are exploiting SonicWall devices to gain initial access. While SonicWall claims that this current campaign is a result of an older known vulnerability (CVE-2024-40766), the announcement, coupled with a lack of any disclosed timelines for the cloud backup breach, could call their previous claims into question. Arete is following up with all active engagement clients to identify whether this latest breach could have enabled access by threat actors. At this time, we have seen that less than 15% of Akira victims in the July to September SonicWall campaign either backed up their configs to the cloud or received notice from SonicWall that their information was exposed. Arete will continue to monitor the situation. In the meantime, SonicWall users are advised to follow the published remediation guidance.

 

Sources

• SonicWall Releases Advisory for Customers after Security Incident
• MySonicWall Cloud Backup File Incident