SonicWall Backup Breach

TL;DR

SonicWall’s SonicWall's MySonicWall cloud backup service suffered unauthorized access to firewall configuration backup files. Initially estimated to impact a small portion of customers, an investigation (with Mandiant) concluded that all customers who used the cloud backup feature had their encrypted configuration backups accessed. These files contain firewall rules, VPN settings, certificates, and encrypted credentials and other data that dramatically lowers the work factor for attackers to perform targeted intrusions, VPN compromise, and ransomware deployment. SonicWall and incident responders strongly recommend deleting cloud backups, rotating credentials and keys, and rebuilding trust for affected devices.

Timeline & scope

• Mid-September 2025: SonicWall detected suspicious activity against MySonicWall cloud backup infrastructure and announced an incident.

• Investigation (with Mandiant): SonicWall completed a forensic investigation and updated its advisory: all customers who used the cloud backup feature had backup files accessed.

• Public reporting / vendor commentary: Security press, Huntress, DarkReading, TechRadar and others published analysis and impact statements in early October 2025.

SonicWall serves hundreds of thousands of customers globally thus broadening the potential impact of the breach.

SonicWall Breach - What was exposed?

SonicWall firewall backups typically contain full device configurations used for restore and replication functionalities. Key elements include:

• Firewall rules and NAT mappings: It reveals allowed ingress/egress and DMZ boundaries.

• VPN configurations: IPsec/IKE settings, peer endpoint addresses, and tunnel identifiers.

• Pre-shared keys and passphrase

• Certificates and certificate metadata: Client/server certs (and sometimes copies of certs, not always the private key).

• Administrative user lists and privilege mappings: Usernames and roles (passwords may be encrypted but metadata helps attackers enumerate targets).

Although SonicWall states that the files were encrypted at rest, an actor with access to the encrypted blobs and sufficient time/resources or with weaknesses in the key management process can attempt to extract secrets.

Even without immediate decryption, the attacker gains reconnaissance value: network architecture, public endpoint addresses, firewall policy and potential VPN targets.

How attackers can weaponize backup files?

• Credential extraction & replay

  • If PSKs, credentials, or certificates are recoverable, attackers can authenticate to VPN endpoints or management interfaces.

• Targeted lateral movement

  • Firewall rules and NAT info help attackers craft precise lateral movement and port-scanning campaigns that avoid noisy scans.

• Ransomware and extortion

  • With access to network topology and credentials, adversaries can quickly move to high value assets and deploy ransomware or exfiltrate data. Huntress and other vendors reported active compromises of SonicWall VPNs tied to ransomware actors.

Detection & hunting

Because backup files exposure is a data leak (not active code execution), detection focuses on post exposure indicators and attacker follow up activity.

High-priority signals:

• Unusual management logins to firewalls (new source IPs/countries, logins at odd hours).

• New or unexpected VPN connections from endpoints or IPs not previously seen.

• Creation of new admin users or changes to critical ACLs/GPOs.

• External scanning & targeted probing of internal services mapped in backups.

• Use of known exploitation chains against SonicWall devices (monitor for Akira activity or other IoCs)

Incident response & remediation workflow

• Contain & Identify

  • Identify which devices used MySonicWall backups. SonicWall provided guidance and tools for customers to enumerate impacted devices.

• Assume compromise of credentials & keys

  • Rotate all firewall related credentials and API keys including admin accounts, VPN PSKs, shared secrets, LDAP service accounts etc.

• Revoke and replace certificates

  • Reissue any certificates used for VPN or management tunnels where private keys might have been stored or referenced.

• Hunt for follow-on activity

  • Use SIEM to search for lateral movement (pass-the-hash, RDP, SMB anomalies) around the timeframe of access. Huntress and others have warned of subsequent compromises following VPN/edge breaches.

• Post-incident reporting and user notification

  • Notify stakeholders, customers (if you’re an MSP), and regulators as required by law and contracts.

Even when encrypted at rest, the sheer information content of firewall backups (topology, NAT, VPN endpoints, policy intent) converts a lengthy reconnaissance phase into a short mapping exercise for attackers. That accelerates attacks and increases the probability of successful ransomware, espionage, or supply chain compromises. Organizations using MySonicWall cloud backup must treat these exposures as high urgency: rotate secrets, delete cloud backups, rebuild trust, and assume targeted follow-on activity will arrive.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ