{"id":4930,"date":"2025-09-18T01:06:07","date_gmt":"2025-09-18T01:06:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4930"},"modified":"2025-09-18T01:06:07","modified_gmt":"2025-09-18T01:06:07","slug":"brute-force-attacks-hitting-sonicwall-firewall-configuration-backups","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4930","title":{"rendered":"Brute force attacks hitting SonicWall firewall configuration backups"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

SonicWall is warning admins that recent brute force attacks on its firewall\u2019s API service for cloud backup could have exposed backup configuration files stored in its cloud portal.<\/p>\n

Affected are SonicWall firewalls with preference files backed up to customers\u2019 MySonicWall.com portal, the company said.<\/a><\/p>\n

In response, access to the backup capability has been disabled, and admins are urged to disable or restrict access to the SSLVPN Service and Web\/SSH Management over the WAN, then reset the firewall\u2019s passwords, keys, and secrets.<\/p>\n

Note that passwords and keys may also need to be updated elsewhere, such as with an organization\u2019s internet service provider, dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP\/RADIUS server. SonicWall offers full guidance<\/a> on its website.<\/p>\n

If a customer has used the cloud backup feature but there are no serial numbers listed in its MySonicWall account, SonicWall will provide additional guidance in coming days to determine if its backup files were impacted.<\/p>\n

SonicWall said in a statement, \u201cless than 5% of our firewall install base had backup firewall preference files stored in the cloud.\u201d It said it has 500,000 customers, but not all subscribe to its firewalls. Still, the 5% estimate could translate into thousands of organizations.\u00a0<\/p>\n

\u201cWhile the files contained encrypted passwords,\u201d the SonicWall statement said, \u201cthey also included information that could make it easier for attackers to potentially exploit firewalls.<\/p>\n

\u201cHaving the backup is like a treasure trove of puzzle pieces you can put back together to see the security posture and general network access of the device that was backed up,\u201d warned Kellman Meghu<\/a>, chief security architect at Canadian consultancy and incident response firm DeepCove Cybersecurity.<\/p>\n

\u2018Not ransomware\u2019<\/h2>\n

As of today, the company isn\u2019t aware of these files having been leaked online by threat actors.\u00a0<\/p>\n

\u201cThis was not a ransomware or similar event for SonicWall,\u201d the statement said. \u201cRather, this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.\u201d\u00a0<\/p>\n

Users of the MySonicWall.com portal should log in and check whether cloud configuration backups are enabled. The serial numbers of impacted devices are listed for those who do use the capability, so each customer\u2019s portal will be flagged with an information banner.<\/p>\n

Wednesday\u2019s warning comes after several national cybersecurity authorities warned that the Akira ransomware gang was exploiting SonicWall firewalls<\/a> that haven\u2019t installed a 2024 patch for a critical vulnerability.<\/p>\n

What are brute force attacks?<\/h2>\n

Brute force attacks<\/a> use trial and error to crack passwords, login credentials, and encryption keys. They\u2019ve been around since the beginning of the computer age, yet are still effective. <\/p>\n

Why? In part because people still use easily guessable passwords like \u20181234\u2019, or their company\u2019s name, or default passwords left on hardware and software by vendors .<\/p>\n

Threat actors have been compiling lists of the most commonly used passwords (famous athletes\u2019 names, famous actors\u2019 names, famous rock band names \u2026), based on years of data breaches, that they sell or share for use in what are called credential-stuffing attacks. A dictionary attack<\/a> uses a list of words from a dictionary. Hybrid brute force attacks combine a dictionary with lists of stolen passwords.<\/p>\n

Modern computing technology also helps threat actors, Meghu pointed out. With today\u2019s low-cost cloud computing resources, any crook can spin up a temporary virtual machine to work at trying every combination against a file. And Picus Security recently reported<\/a> that even hashed passwords can be easily cracked.<\/p>\n

Defenses<\/h2>\n

Mandating that employees and customers use long passwords of at least 16 letters and numbers is one defense. Even better, said the US National Institute for Standards and Technology (NIST), is encouraging employees to use a passphrase they can remember rather than a jumble of letters.<\/p>\n

To discourage users from creating easily-guessable passwords, CSOs should require that employees use a password manager to store their credentials.<\/p>\n

Finally, experts advise that the best defense against brute force attacks is phishing-resistant multi-factor authentication, including, for administrators, the use of physical USB keys or biometrics as an extra login step.<\/p>\n

\u201cMaking brute force irrelevant by using public\/private keys \u2014 protect those keys!! \u2014 or some sort of two-factor authentication is not enough,\u201d said Meghu. \u201cExtra protection should be the norm.<\/p>\n

\u201cYou generally can\u2019t trust something that is just protected by password,\u201d he said. \u201cAssume at some point compute power will reach a point that it is crackable. To extend that time, use as long a password as you can, 18 characters at a minimum for sensitive data.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

SonicWall is warning admins that recent brute force attacks on its firewall\u2019s API service for cloud backup could have exposed backup configuration files stored in its cloud portal. Affected are SonicWall firewalls with preference files backed up to customers\u2019 MySonicWall.com portal, the company said. In response, access to the backup capability has been disabled, and […]<\/p>\n","protected":false},"author":0,"featured_media":4931,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4930","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4930"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4930"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4930\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4931"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}