All news with #sonicwall tag

New SonicWall SonicOS Flaw Lets Attackers Crash Firewalls

⚠️ SonicWall has released patches for a high-severity SonicOS SSLVPN vulnerability (CVE-2025-40601) that can trigger a stack-based buffer overflow and remotely crash Gen7 and Gen8 firewalls. The company says the flaw allows a remote unauthenticated attacker to cause a DoS but reports no active exploitation or public PoC. Fixed versions are 7.3.1-7013+ for Gen7 and 8.0.3-8011+ for Gen8; admins unable to patch should disable SSLVPN or restrict access.

Hijacked VPN Credentials Drive Half of Ransomware Access

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.

Akira ransomware linked to $244M in illicit proceeds

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

SonicWall: State-Sponsored Hackers Behind September Breach

🔒 SonicWall says a Mandiant-led investigation concluded that state-sponsored actors accessed cloud-stored firewall configuration backup files in September. The company reports the activity was isolated to a specific cloud environment and did not affect SonicWall products, firmware, source code, or customer networks. As a precaution, customers were advised to reset account credentials, temporary access codes, VPN passwords, and shared IPSec secrets. SonicWall also stated there is no connection between the breach and separate Akira ransomware activity.

New SonicWall SSLVPN Compromises Linked to Credentials

🔒 Huntress reports a fresh wave of compromises targeting SonicWall SSLVPN appliances in early October, affecting at least 16 organizations and more than 100 accounts. Attackers are authenticating with valid credentials rather than brute forcing, often from recurring attacker-controlled IPs. Some sessions involved internal reconnaissance and attempts against Windows administrative accounts, but Huntress says it has no evidence linking the activity to September’s MySonicWall cloud backup disclosure. It urges administrators to reset credentials, restrict remote management, review SSLVPN logs, and enable MFA.

SonicWall SSLVPN Accounts Breached With Stolen Credentials

🛡️ Researchers report that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign that began on October 4 and persisted through at least October 10. The attackers appear to be using valid, stolen credentials rather than brute-force methods, and many malicious requests originated from IP 202.155.8[.]73. After authenticating, actors conducted reconnaissance and attempted lateral movement to access numerous local Windows accounts; investigators recommend immediate secret rotation, strict access restrictions, and multi-factor authentication for all admin and remote accounts.

Widespread SonicWall SSL VPN Compromise Hits 100+ Accounts

🔒 Huntress warns of a widespread compromise of SonicWall SSL VPN devices that allowed threat actors to rapidly authenticate into multiple accounts across customer environments. Activity began on October 4, 2025, impacting over 100 VPN accounts across 16 customers, with logins traced to IP 202.155.8[.]73. While some intrusions disconnected quickly, others involved network scanning and attempts to access local Windows accounts. Organizations are urged to reset firewall credentials, restrict WAN management, revoke exposed API keys, monitor logins, and enforce MFA.

SonicWall: Cloud Backup Data Theft Impacts All Users

🔒 SonicWall has confirmed that threat actors stole backup files configured for the MySonicWall cloud backup service, and that the incident affects all customers using the feature. The company says the files contain encrypted credentials and configuration data, which could raise the risk of targeted attacks despite encryption. SonicWall has published an urgency-classified device list and a detailed admin playbook; customers are urged to check devices and apply updates promptly.

Data Leak at SonicWall Impacts All Cloud Backup Customers

🔓On September 17, security vendor SonicWall disclosed that cybercriminals exfiltrated backup files configured for its MySonicWall cloud backup service. The company initially reported the incident affected 'less than five percent' of customers but has since updated that all Cloud Backup users who used the feature are impacted. Stolen files include encrypted credentials and configuration data, which could enable targeted attacks despite encryption. SonicWall has published an affected-device list and a detailed remediation playbook for administrators.

SonicWall: Cloud backup breach exposed all firewall configs

🔒 SonicWall confirmed that unauthorized actors accessed firewall configuration backup files stored in its cloud backup portal, impacting all customers who used the service. The exposed .EXP files contain AES-256-encrypted credentials and other configuration data. Customers should log into MySonicWall to check impacted devices and follow the vendor's Essential Credential Reset checklist, prioritizing internet-facing firewalls.

SonicWall Cloud Firewall Backups Accessed, Urgent Checks

🔐 SonicWall disclosed that an unauthorized party accessed cloud-stored firewall configuration backups for customers using the Cloud Backup service. While the files contain encrypted credentials and configuration data, SonicWall warns that possession of these files could increase the risk of targeted attacks. The company is notifying customers, providing assessment and remediation tools, and urging users to log in and verify their devices immediately.

SonicWall Cloud Backups Accessed in Firewall Breach

🔒 SonicWall has confirmed that an unauthorized actor accessed firewall configuration backup files stored in its cloud backup service for customers. The files include encrypted credentials and device configuration data; while encryption remains in place, SonicWall warned that possession of these backups could increase the risk of targeted attacks. The vendor says access was achieved via brute-force attacks and that suspicious activity was first detected in early September 2025. Working with Mandiant, SonicWall has issued remediation tools, published impacted device lists in the MySonicWall portal, and is notifying affected partners and customers.

Chinese Hackers Exploit Enterprise Network Appliances

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

Surge in SonicWall SSL VPN Attacks by Akira Actors

🔒 Security experts warn of a sharp increase in activity from Akira ransomware operators targeting SonicWall SSL VPN appliances, with intrusions traced to late July. Arctic Wolf links initial access to exploitation of CVE-2024-40766 and describes rapid credential harvesting that can enable access even to patched devices. Observed traces include hosting-provider-origin VPN logins, internal scanning, Impacket SMB activity and Active Directory discovery; organizations are advised to monitor hosting-related ASNs, block VPS/anonymizer logins and watch for SMB session patterns consistent with Impacket to detect and disrupt attacks early.

Akira Bypasses MFA on SonicWall VPNs via Reused Logins

🔐Akira ransomware operators are successfully authenticating to SonicWall SSL VPN accounts even when one-time password (OTP) multi-factor authentication is enabled. Arctic Wolf links the logins to credentials and OTP seeds harvested via an improper access control flaw tracked as CVE-2024-40766, and notes attackers can reuse those secrets after devices are patched. Once inside, actors rapidly scan internal networks, harvest backup server credentials, and use techniques such as BYOVD to sideload vulnerable drivers and disable protections. Administrators are urged to install the latest SonicOS (recommended 7.3.0) and reset all SSL VPN credentials immediately.

Threatsday Bulletin: Rootkits, Supply Chain, and Arrests

🛡️ SonicWall released firmware 10.2.2.2-92sv for SMA 100-series appliances to add file checks intended to remove an observed rootkit, and moved SMA 100 end-of-support to 31 October 2025. The bulletin also flags an unpatched OnePlus SMS permission bypass (CVE-2025-10184), a GeoServer RCE compromise affecting a U.S. federal agency, and ongoing npm supply-chain and RAT campaigns. Defenders are urged to apply patches, rotate credentials, and enforce phishing-resistant MFA.

SonicWall SMA100 Firmware Removes OVERSTEP Rootkit

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.

SonicWall Advisory After MySonicWall Cloud Backup Incident

🔐 SonicWall released an advisory after identifying unauthorized access to a subset of customer cloud backup preference files stored via the MySonicWall portal. SonicWall’s investigation indicates a threat actor used brute force methods against MySonicWall.com to retrieve preference files that, while containing encrypted credentials, included other device-specific data that could enable access to SonicWall firewall devices. CISA urges customers to log into their accounts to verify exposures and to follow the advisory’s containment and remediation steps immediately.

SonicWall Urges Password Resets After Backup Files Exposure

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.