SonicWall has advised customers to immediately rotate passwords, shared secrets, and cryptographic keys after attackers obtained access to cloud-stored firewall configuration backups tied to MySonicWall accounts. The company reports that malicious access has been cut off and that it is working with relevant government and law‑enforcement partners as part of an ongoing investigation.
SonicWall incident: API brute-force exposed cloud configuration backups
According to SonicWall, adversaries conducted brute‑force attacks against an API service responsible for managing cloud backups. In some cases, this activity allowed retrieval of configuration backup files. The company stated that fewer than 5% of SonicWall firewalls had cloud backups that were reached through this activity.
While credentials embedded in the backups were stored in encrypted form, the files contained operational details that can simplify device exploitation: network addressing, access policies, objects, VPN configurations, and other parameters. SonicWall added that it has not seen evidence of public data release and the event did not include an extortion component, though configuration artifacts may include credentials or tokens for third‑party services integrated with the devices.
Why firewall configurations are high-value targets
A firewall configuration is effectively a “network map” that describes routes, segmentation, access controls, user objects, and service parameters. Access to this context can drastically reduce attacker reconnaissance effort and raise the probability of evading defenses. Plausible follow‑on scenarios include reusing or guessing known secrets, spoofing legitimate IPSec/VPN peers, unauthorized policy changes, and credential attacks via directory integrations such as LDAP or RADIUS.
Industry reporting consistently finds that compromised credentials are a leading driver of breaches. For example, the Verizon Data Breach Investigations Report (DBIR) has repeatedly highlighted stolen credentials as a top initial access vector, and the FBI IC3 reported multi‑billion‑dollar losses stemming from credential abuse in business email compromise schemes. Even when passwords are not directly exposed, configuration backups provide sufficient context for targeted escalation in distributed networks where firewalls anchor remote access and inter‑segment filtering.
Immediate actions for SonicWall customers
SonicWall recommends rapid rotation of all potentially impacted secrets and enhanced monitoring. Priorities include passwords, shared secrets, and encryption keys used on affected devices and services.
Rotation priorities across SonicOS and third-party services
Organizations should reset administrator credentials on affected firewalls and enable MFA for MySonicWall. Update IPSec pre‑shared keys and, where appropriate, reissue VPN and device certificates. Review and rotate credentials used with ISPs, Dynamic DNS, email systems, remote IPSec VPN peers, LDAP/RADIUS directories, and any other integrated third‑party services referenced in configurations.
Conduct a full audit of authentication and configuration logs; forward events to a SIEM and create alerts for high‑risk conditions such as new admin accounts, unexpected VPN connections, and changes to access rules. Validate that device firmware is current and disable unnecessary services in line with the principle of least privilege.
Harden backup and API control planes by restricting access based on roles and IP allowlists, encrypting archives with unique keys, enforcing rate limiting and lockouts on failed API authentication, and regularly testing restore and incident‑response procedures.
Indicators of compromise and monitoring tips
Potential signs of misuse include unanticipated configuration changes, creation of unfamiliar rules or objects, appearance of unknown administrative users, spikes in authentication failures, and VPN connections from atypical geographies. Compare current device configurations to gold baselines, inventory all keys and tokens, and review external interfaces for exposed ports or services not aligned with your organization’s standards.
Broader context: protecting cloud control planes and APIs
Modern security stacks extend beyond appliances to cloud portals and API services. API brute forcing remains effective where passwords are weak, MFA is absent, or service‑side protections are insufficient. In this case, the impacted share of devices appears limited and there is no sign of public data posting; however, the exposure of configuration backups warrants proactive containment and a reassessment of secret‑management and backup practices.
Organizations should immediately rotate secrets, strengthen MySonicWall access controls, expand monitoring, and validate configurations. Establish a robust backup strategy that limits who and what can access archives, enforces encryption, and subjects API endpoints to strict throttling and lockout policies. Subscribe to SonicWall advisories and government bulletins for updated indicators of compromise and evolving guidance, and conduct tabletop exercises to ensure your incident response can move at the speed of today’s API‑driven attacks.
