SonicWall Urges Password Resets After Firewall Backup Files Breach

SonicWall has warned customers to reset credentials following a security breach that exposed firewall configuration backup files stored in MySonicWall accounts.

The network security company confirmed it had detected suspicious activity targeting its cloud backup service for firewalls, with threat actors accessing firewall preference files belonging to less than 5% of customers.

🔓 What Happened

According to SonicWall, while credentials in the files were encrypted, the backups also contained sensitive details that could potentially aid attackers in exploiting firewalls.

The company stressed it has found no evidence of the files being leaked online and clarified that this was not a ransomware attack, but instead a series of brute-force attempts to gain access to backup preference files. The identity of the attackers remains unknown.

🛡️ Steps for Customers

SonicWall has urged affected users to take immediate steps to secure their systems:

1. Login to MySonicWall.com and check if cloud backups are enabled.

2. Verify flagged serial numbers in accounts.

1. Contain and remediate by:

   • Restricting WAN access

   • Turning off HTTP/HTTPS/SSH management access

   • Disabling SSL VPN and IPSec VPN

   • Resetting passwords and TOTPs saved on firewalls

   • Reviewing logs and recent configuration changes for anomalies

2. Import fresh preferences files provided by SonicWall, which include:

   • Randomized passwords for all local users

   • Reset TOTP binding (if enabled)

   • Randomized IPSec VPN keys

SonicWall cautioned that the updated files were created from the latest preferences in cloud storage, and customers should not use them if they don’t align with current configurations.

⚠️ Wider Threat Context

The disclosure comes as Akira ransomware operators continue exploiting unpatched SonicWall devices, particularly the critical flaw CVE-2024-40766 (CVSS 9.3).

Earlier this week, cybersecurity firm Huntress revealed an Akira-linked incident in which threat actors exploited SonicWall VPNs and leveraged plaintext recovery codes to bypass MFA protections, suppress incident visibility, and attempt to uninstall endpoint defenses.

The SonicWall breach highlights the urgent need for organizations to treat backup files and recovery codes with the same sensitivity as privileged credentials, as attackers increasingly target these assets to gain long-term access.