SonicWall Cloud Firewall Backups Hacked, Urgent Security Checks Advised

SonicWall Confirms That Hackers Stole All Customers Firewall Configuration Backup Files SonicWall has confirmed that an unauthorized party accessed and stole the entire repository of customer firewall configuration backup files from its cloud service. The confirmation comes after the completion of an investigation with the cybersecurity firm Mandiant, which determined that all customers who used the cloud backup feature are affected by the breach. The investigation revealed that threat actors successfully exfiltrated .EXP files, which are complete snapshots of a firewall’s configuration data. Stay connected for industry’s latest content – Follow @Deepthi #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/edJBFFBG

🔐 State-Sponsored Breach at SonicWall: A Wake-Up Call for Cloud Trust and Configuration Hygiene This week, SonicWall confirmed that a state-sponsored threat actor was behind the September breach that compromised all firewall configuration files stored in its cloud backup service. The implications ripple far beyond one vendor: 🎯 Scope of Impact: Initially reported as affecting <5% of customers, the breach was later revealed to include all firewall preference files stored in the cloud—containing encrypted credentials and configuration data. 🧩 Attack Vector: The intrusion was executed via unauthorized API access to a specific cloud environment—not a product vulnerability, but a cloud-side exposure. 🛡️ No Product Compromise: SonicWall emphasized that no firmware, source code, or customer networks were breached. The attack was isolated to cloud backups. 🧠 Mandiant Attribution: The investigation, led by Mandiant, confirmed the actor was state-sponsored, underscoring the geopolitical stakes of infrastructure security. 🚨 Mitigation Urged: SonicWall advised all customers to reset passwords and verify backup exposure via MySonicWall.com. The stolen data could enable targeted follow-on attacks. 🔄 Not Linked to Akira Ransomware: SonicWall clarified this breach is unrelated to recent Akira ransomware activity targeting its edge devices. 💬 Why this matters: Cloud backups are often treated as “set-and-forget.” This breach shows they’re prime targets—especially when they store configuration blueprints. API security and least-privilege access must be continuously audited—not just for production systems, but for backup and recovery infrastructure. For MSPs, healthcare orgs, and public sector entities, this is a call to revisit cloud trust boundaries and credential lifecycle hygiene. 🔎 As we harden our defenses, let’s also ask: Are our backups encrypted at rest and in transit—and are the keys managed securely? Do we treat configuration files with the same sensitivity as PII or PHI? Are we prepared to detect and respond when the cloud itself becomes the attack surface? #CyberSecurity #CloudSecurity #MSP #InfoSec #ZeroTrust #Governance #InfrastructureResilience #SonicWall #Mandiant #CredentialHygiene #StateSponsoredThreats #APISecurity #BackupSecurity #Leadership #RiskManagement Article Link - https://lnkd.in/g6UtVSw4

⚠️ SonicWall Breach Attributed to Nation-State Actor SonicWall has confirmed that a state-sponsored threat actor was behind the attack that compromised its cloud backup service, exposing customers’ firewall configuration files -- a potential goldmine of sensitive network data. The company, working with Mandiant (part of Google Cloud), reports the intrusion is contained and unrelated to recent Akira ransomware activity targeting SonicWall devices. Still, the stolen configurations could include encrypted credentials, routing data, and firewall rules -- information invaluable to advanced threat actors. While SonicWall insists its core systems and source code were untouched, the breach highlights a recurring theme: supply-chain and vendor-level vulnerabilities remain some of the most critical risks in modern cybersecurity. Nation-state operations increasingly blur the line between espionage and disruption. This latest incident is another reminder that even cybersecurity vendors are not immune, and must hold themselves to the same rigorous standards they expect from their customers. #CyberSecurity #NationStateThreats #InfoSec #SonicWall #SupplyChainSecurity #VulnerabilityManagement #Mandiant #Ransomware #CyberDefense #NationalSecurity

In September 2025, SonicWall confirmed that its entire cloud backup environment was compromised in a sophisticated cyberattack attributed to a state-sponsored threat actor. The breach allowed unauthorized downloads of all customer firewall configuration backups, which contained both encrypted credentials and unencrypted configuration data. While the encrypted data remains protected, the exposed unencrypted information could enable attackers to identify and exploit vulnerable firewalls. Although SonicWall stated that its firmware, source code, and customer networks were not directly affected, the scope of the compromise underscores the severe risks posed when sensitive configuration and telemetry data are centralized in the cloud. #CyberSecurity, #DataBreach, #Hacking, #InfoSec, #CyberAttack, #Ransomware, #Malware, #Phishing, #ZeroTrust, #ThreatIntelligence, #NetworkSecurity, #CloudSecurity, #DataProtection, #Vulnerability, #IncidentResponse, #Encryption, #PenTesting, #DigitalForensics, #CyberDefense, #StateSponsoredAttack, #FirewallSecurity, #BreachAlert, #SecurityAwareness, #CyberThreats, #EthicalHacking

SonicWall has officially attributed a security breach in September to state-sponsored threat actors, resulting in the unauthorized exposure of firewall configuration backup files. The breach specifically targeted cloud backup files accessed via an API call, with no impact on the company's products, firmware, or other systems. SonicWall engaged Mandiant, a Google-owned cybersecurity firm, to investigate the incident, which was isolated to a specific cloud environment. The breach affected less than 5% of SonicWall's customers who used the cloud backup service. However, SonicWall clarified that the incident is not related to the ongoing Akira ransomware attacks that have been targeting firewalls and edge devices. Although the company did not identify the responsible nation-state or provide clear links to a specific known threat actor or group, it emphasized that the breach was limited to backup files and did not compromise other systems or services. As a result of the breach, SonicWall has taken corrective measures as recommended by Mandiant, including hardening its network and cloud infrastructure. It also committed to bolstering its security posture in response to increasing nation-state targeting of edge security providers, particularly those serving SMBs and distributed environments. SonicWall has urged customers to log into MySonicWall.com to check their devices and reset credentials for any impacted services. The company also released tools to help customers identify affected services and perform necessary security tasks, including resetting credentials. SonicWall aims to continue enhancing its security to maintain its position as a trusted leader for its partners and their SMB customers. https://lnkd.in/e2U_rfuc

SonicWall Confirms State-Sponsored Actor Breach Here is an update released from SonicWall, after initiating their incident response process they quickly called in an expert IR firm. The Mandiant (part of Google Cloud) investigation is complete and confirmed that a state-sponsored actor removed cloud backup files in September. The article explains the process and some hints at a trend in the industry. "nation-state–backed threat actors increasingly target edge security providers, especially those serving SMB and distributed environments" Three key takeaways: 1. Have and incident response process. SonicWall has been in the game awhile, they probably had a good IR team and still called in the experts. 2. Who you gonna call, GHOSTBUSTERS!!!! Know who is on your short list to call when you have a bad day. 3. Edge devices are critical terrain that are being attacked every day. Increase logging, technical controls, and apply patches rapidly. https://lnkd.in/eHA4eNYi #cybersecurity #networkdefense #ciso #vciso Entoo Security #vulnerabiltiymanagement

SonicWall Confirms State-Sponsored Hackers Behind September Cloud Backup Breach SonicWall has formally implicated state-sponsored threat actors as behind the September security breach that led to the unauthorized exposure of firewall configuration backup files. "The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call," the company said in a statement released this week. "The incident is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices." SonicWall, however, did not disclose which country was behind the incident or provide any indicators linking it to any known threat actor or group. https://lnkd.in/ddAyxWZf Stay Connected to Nishan Singh, CISA, MBA for latest cyber security information. #EXL #Exlservice #linkedin #cybersecurity #technologycontrols #infosec #informationsecurity #GenAi #linkedintopvoices #cybersecurityawareness #innovation #techindustry #VulnerabilityAssessment #ApplicationSecurity #SecureCoding #cyber #communitysupport #womenintech #technology #security #cloud #infosec #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cloudsecurity #trends #grc #leadership #socialmedia #digitization #education #Hacking #privacy #datasecurity #passwordmanagement #identitytheft #phishingemails #holidayseason #bankfraud #personalinformation #creditfraud

State-sponsored hackers exploited a vulnerability in SonicWall's cloud backup service, exposing firewall configuration files and enabling potential access credential theft. This breach puts customer networks at risk of unauthorized access and lateral movement. Organizations must immediately review and reset all SonicWall MySonicWall account credentials and firewall configurations to mitigate potential compromise. 🔒⚠️ #cybersecurity #databreach #hacking #vulnerability https://lnkd.in/gEzJ26Y5

SonicWall SSLVPN Under Attack Following the Breach of All Customers' Firewall Backups A surge in attacks targeting SonicWall SSLVPN devices, affecting numerous customer networks, just weeks after a major breach exposed sensitive firewall data. Starting October 4, 2025, threat actors have rapidly authenticated into over 100 accounts across 16 environments, using what appear to be stolen valid credentials rather than brute-force methods. Huntress, a cybersecurity firm, reported the widespread compromise, noting the speed and scale suggest credential stuffing attacks leveraging data from the earlier breach. SonicWall disclosed on September 29 that unauthorized access hit encrypted backups for all Cloud Backup and Recovery Service users, potentially exposing configs and keys. While encryption protects the files, decryption risks loom for targeted follow-ups. SonicWall urges credential resets, device scans via MySonicWall, and assessment tools. The incident echoes prior MySonicWall exposures, amplifying urgency for VPN hardening amid rising remote access threats. https://lnkd.in/eAX_DkWD

State-sponsored threat actors exploited a vulnerability in SonicWall's cloud backup service, exposing firewall configuration files and potentially enabling further attacks. This breach puts SMBs at risk of network compromise and data exfiltration. Organizations must immediately review their SonicWall configurations, reset credentials, and utilize the provided tools to mitigate potential compromise. 💥🔒 #cyberattack #cybersecurity #databreach #hacking https://lnkd.in/dnkX8EMz