Overview
- SonicWall said Mandiant’s completed investigation traced the September incident to a nation-state actor using an API call against a specific cloud environment.
- The activity was confined to configuration backup and preference files stored in the MySonicWall cloud service, according to the company.
- Mandiant found no impact to SonicWall products, firmware, other corporate systems, source code, or customer networks.
- SonicWall urged customers to rotate account, VPN, and directory service credentials, and released an Online Analysis Tool and a Credentials Reset Tool to streamline remediation.
- The company said the breach is unrelated to Akira ransomware campaigns, while Huntress separately reported SSLVPN compromises using valid credentials with no evidence linking them to the backup exposure.