Overview

• SonicWall confirmed attackers accessed backup firewall configuration files stored in MySonicWall, which could make exploitation of affected firewalls easier.
• The vendor disabled the cloud backup feature, cut off attacker access, and opened an investigation with incident response partners and law enforcement.
• SonicWall says fewer than 5% of its firewall install base had backup preference files accessed, and it has not seen evidence of the files being leaked online.
• Impacted customers are receiving modified preference files that randomize local user passwords, reset TOTP bindings, and rotate IPSec VPN keys, with warnings about temporary VPN disruptions and a firewall reboot during import.
• The company describes the intrusion as account-by-account brute-force access rather than ransomware and urges comprehensive resets of passwords, API keys, and tokens as Akira continues to target unpatched devices via CVE-2024-40766.