SonicWall Cloud Backup Breached: Firewall Configurations Compromised

  • Cyber Alert
  • Cybersecurity
  • Baivab Jena

SonicWall has disclosed a data breach impacting its MySonicWall cloud backup service, exposing firewall configuration backups for all customers using the feature. Initially reported to affect just 5% of the user base, SonicWall has since confirmed that 100% of cloud backup users were affected. The company confirmed the incident following an investigation with Mandiant and has published an official advisory urging immediate credential resets and configuration reviews. 

While encrypted, the leaked backups contain sensitive details, including network topology, access rules, and service credentials, that could give threat actors valuable intelligence about affected environments. This incident highlights the potential downstream risk of third-party configuration storage and underscores the need for rapid remediation across all SonicWall-managed networks. 

Breach Details

The breach occurred after unauthorized access to SonicWall’s cloud backup environment, which stored configuration export files (EXP files) for customer firewalls. These files include device settings, VPN definitions, and encrypted credentials.  Relying solely on vendor backups can be risky. Organizations often delay or fail to act promptly after vendor disclosures, leaving restored configurations vulnerable or incomplete during urgent recovery. 

Be aware that older devices (Generation 6 and earlier) use less-secure encryption for their backups. While there is no definitive proof of data misuse, exposed configuration files could provide attackers with sensitive information about your network defenses, unlike the stronger protection found on Gen 7 and newer devices. 

ACA’s Guidance 

To protect your environment and limit potential impact, ACA recommends the following steps in alignment with SonicWall’s official guidance: 

  • Check for impacted devices via MySonicWall: Log into MySonicWall and navigate to ‘Product Management -> Issue List’. If any pending actions are shown, follow the ‘Essential Credential Reset’ steps, prioritizing active, internet-facing firewalls.
  • Comprehensive credential and key reset: Immediately reset all stored credentials and keys across affected devices, including passwords for all local and external authentication users, temporary access codes (TOTP), VPN shared secrets, WAN interface passwords, and the Cloud Secure Edge (CSE) and any other API keys. For more info, refer to the official security bulletin.
  • Rebuild or sanitize configurations: Do not re-use existing configurations. Instead, rebuild or sanitize them thoroughly before re-applying them to production devices to remove any malicious code or non-standard settings.
  • Restrict remote management and enforce MFA: Limit remote management access (HTTP/S, SSH) from the WAN and enforce multi-factor authentication (MFA) for all administrative interfaces.
  • Apply security updates: Ensure all devices are running the latest patched software for MySonicWall to address vulnerabilities such as CVE-2024-40766, which has been linked to this breach.
  • Monitor firewall and VPN logs: Actively monitor all firewall and VPN logs for unauthorized access attempts or suspicious configuration changes to detect and respond to any lingering threats.
  • Exercise backup and recovery precautions: Enable third‑party backups, take regular manual snapshots, and securely document firewall configurations so you can rapidly rebuild or restore systems during urgent remediation.
  • Follow official guidance: Continue to adhere to SonicWall’s official incident advisory for ongoing updates and guidance throughout the remediation process. 

ACA Can Help  

ACA Aponix helps firms strengthen their cybersecurity programs to mitigate risks from vulnerabilities. Our services include: 

  • Aponix Protect is a comprehensive solution that helps you implement a robust patch management process, ensuring vulnerabilities like these are identified and remediated before they can be exploited. 
  • ACA Vantage for Cyber provides targeted cyber health insights for portfolio companies, focusing on areas like patch management and vulnerability remediation. Combining expert advisory, ComplianceAlpha technology, and RealRisk assessments, it helps pinpoint where additional support is needed to strengthen defences and maintain operational resilience.
  • Our Firewall Config Assessment reviews the client’s firewall configurations to identify misconfigurations and security flaws that could permit unauthorized access, reducing breach risk and strengthening network defences. 

Contact us to find out how we can help secure your firm against cyber threats and comply with regulatory expectations. 

Contact
Contact