Full Report
The security vendor’s customers have confronted a barrage of actively exploited defects since 2021. The brute-force attack on a company-controlled system underscores broader security pitfalls are afoot. The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.
Analysis Summary
# Incident Report: Massive Exposure of All Customer Firewall Configurations via Brute-Force Attack
## Executive Summary
An unidentified threat actor successfully executed a brute-force attack against SonicWall’s customer cloud portal, resulting in unauthorized access to the firewall configuration backup files of every customer utilizing the cloud backup service. The compromise exposed sensitive operational data, including firewall rules, routing configurations, and encrypted credentials. SonicWall has confirmed the breach, notified impacted customers, and engaged Mandiant for investigation and remediation, highlighting weaknesses in their access control mechanisms.
## Incident Details
- **Discovery Date:** Date not explicitly stated, but disclosure occurred on Wednesday (October 9, 2025, based on article date).
- **Incident Date:** Occurred sometime prior to September 17, 2025 (when the scope was first revised).
- **Affected Organization:** SonicWall
- **Sector:** Cybersecurity / Network Security Vendor
- **Geography:** Headquarters in Milpitas, California (Global customer base affected).
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but occurred prior to revisions made as of September 17th.
- **Vector:** Brute-force attack targeting a customer-facing system (MySonicWall.com cloud portal).
- **Details:** Attackers exploited inadequate controls around public APIs and a lack of rate limiting to systematically attempt credential combinations against user accounts.
### Lateral Movement
- **Details:** Attackers accessed and downloaded backup configuration files stored on the cloud service. The description focuses on the scale of data accessed rather than internal network movement post-initial access.
### Data Exfiltration/Impact
- **Details:** "A treasure trove of sensitive data, including firewall rules, routing configurations and more," as well as **encrypted credentials**, for all customers using the cloud backup service.
### Detection & Response
- **Details:** SonicWall reported the attack and subsequently revised its disclosure multiple times regarding the scope before confirming the breach impacted *all* customers using the cloud backup service.
- **Response actions taken:** Notified all impacted customers, released tools for detection and remediation, and encouraged customers to review their MySonicWall.com platform exposure.
## Attack Methodology
- **Initial Access:** Brute-force attack against the cloud portal/API.
- **Persistence:** Not detailed, but implied that access allowed for data retrieval.
- **Privilege Escalation:** Not detailed in this specific incident, though the context mentions a history of vulnerabilities used in ransomware campaigns.
- **Defense Evasion:** Not explicitly detailed, but the success of the brute-force attack suggests poor implementation of anti-automation/rate-limiting controls.
- **Credential Access:** Access to encrypted credentials within the configuration backups.
- **Discovery:** Attackers surveyed stored customer backup files.
- **Lateral Movement:** Movement implied to the storage location of the configuration backups within the cloud environment.
- **Collection:** Retrieval of configuration files.
- **Exfiltration:** Download of configuration files and credentials.
- **Impact:** Compromise of sensitive network security policy details and usable credentials for future attacks.
## Impact Assessment
- **Financial:** Not disclosed (Costs associated with remediation, investigation, and potential customer churn).
- **Data Breach:** Configuration backup files for all customers utilizing the cloud backup service. Included firewall rules, routing configurations, and encrypted passwords.
- **Operational:** Managed through immediate notification and remediation assistance provided to customers.
- **Reputational:** Significant due to prior security issues; the incident reignited criticism regarding fundamental security practices (like rate limiting).
## Indicators of Compromise
- **Network indicators:** Not available (Defanged - focused on service interaction rather than specific external IPs).
- **File indicators:** Firewall configuration backup files retrieved.
- **Behavioral indicators:** High volume of login attempts targeting the MySonicWall.com portal (consistent with brute-force activity).
## Response Actions
- **Containment measures:** Implemented additional security hardening measures on the cloud infrastructure.
- **Eradication steps:** Security experts (Mandiant) engaged to improve security of the cloud infrastructure and monitoring systems.
- **Recovery actions:** Notification sent to all impacted customers; tools released to assist with detection and remediation.
## Lessons Learned
- **Key takeaways:** Reliance on brute-forceable mechanisms on customer-facing portals without adequate controls (like rate limiting) represents a critical vulnerability. Encrypted credentials are only as secure as the encryption scheme and the difficulty of offline cracking.
- **What could have been done better:** Implementation of stronger, basic programmatic protections like mandatory rate limiting around authentication endpoints and public APIs.
## Recommendations
- Immediately enforce strict rate limiting and multi-factor authentication (MFA) on all customer-facing portals, especially those handling sensitive system configurations.
- Review and strengthen encryption standards for all stored credentials offline, ensuring they are resistant to offline cracking, even if the initial encrypted hash/value is compromised.
- Increase proactive threat hunting and monitoring specifically targeting bulk data retrieval patterns from cloud backup repositories.