Threat actors gained access to MySonicWall cloud backup preference files after brute-forcing the vendor’s portal. These files, although encrypted, contain sensitive configuration data such as VPN details and admin credentials, which raises the risk of device compromise. At the same time, researchers have observed ransomware groups, notably Akira, actively exploiting SonicWall SSLVPN appliances to gain initial access.
Read the full SonicWall advisory regarding this incident here.
Incident Overview
- Scope: Fewer than 5% of SonicWall devices using cloud backups were impacted, but all customers should verify whether their serial numbers are listed as affected.
- Data exposure: Encrypted credentials, network configurations, and tokens within backup files may aid attackers in targeted intrusions.
- Exploitation: Beyond the backup incident, SonicWall VPN portals continue to be a high-value target for brute force, credential stuffing, and vulnerability exploitation.
Threat Activity & Tactics
Attackers are using brute-force attempts on MySonicWall.com to exfiltrate backup files. In parallel, exploitation of SSLVPN endpoints has been tied to Akira ransomware campaigns. Once access is obtained, intruders quickly move to create new admin accounts, alter configurations, and in several cases deploy ransomware payloads.
Recommended Response
Immediate steps
- Log in to MySonicWall and check whether your device’s serial number is listed as impacted.
- If impacted, isolate the device from management networks and rotate all related credentials (local admin, VPN users, tokens, certificates).
- Temporarily disable cloud backups until integrity can be confirmed.
Investigation
Review VPN logs for unusual login times, geographies, or ASN ranges. Look for signs of brute force, failed login spikes, or new administrator accounts. Preserve logs for forensic analysis if anomalies are found.
Hardening
Apply the latest SonicWall firmware patches. Restrict SSLVPN and Virtual Office access to trusted IP ranges and enforce MFA, but pair it with geo-based or anomaly detection since MFA alone has been bypassed in some cases.
Detection Guidance
Focus monitoring on:
- Successful SSLVPN logins from uncommon countries or hosting providers.
- Brute-force sequences or repeated failed logins against MySonicWall.
- Recent configuration exports and creation of new admin users.
Stay Safe. Stay Secure.
OP Innovate Research Team
