On September 17, 2025, SonicWall disclosed a breach impacting MySonicWall.com cloud backups that allowed threat actors to access firewall preference files, potentially exposing credentials, tokens, and full firewall configurations. Rapid7 links the activity to the Akira ransomware group and recommends immediate mitigation steps including password/token rotation, MFA/TOTP resets, and following SonicWall remediation guidance. #MySonicWall #Akira
Keypoints
- SonicWall confirmed suspicious activity targeting MySonicWall.com backups, exposing firewall preference files that may contain credentials and tokens.
- Rapid7 ties the incident to the Akira ransomware group and reports increased intrusions against SonicWall appliances following a campaign that began in August 2024.
- The incident is related to a previously disclosed vulnerability (CVE SNWLID-2024-0015) involving improper access control for SSLVPN when remediation was not fully completed.
- Attackers have exploited SSLVPN default group misconfigurations and publicly accessible Virtual Office Portals to configure MFA/TOTP and gain access.
- Rapid7 recommends immediate actions: rotate local SonicWall account passwords, reset TOTP/MFA tokens, rotate LDAP/Radius/TACACS+ credentials, and apply SonicWall patches.
- Defensive recommendations include restricting Virtual Office Portal access to trusted networks, enforcing MFA for backups, segmenting backups, and ensuring virtualization firmware is up to date.
- Rapid7 is monitoring customers, issuing communications, and providing IOCs, Yara rules, and TTP updates via its Intelligence Hub and MDR services.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Actors exploited SSLVPN improper access control (CVE SNWLID-2024-0015) to obtain unauthorized access. Quote: “…this vulnerability allowed unauthorized access to SonicWall in specific conditions.”
- [T1078] Valid Accounts – Threat actors used exposed credentials/tokens from backup preference files and default group misconfigurations to authenticate to services. Quote: “…threat actors were able to access backup firewall preference files. These files may supply threat actors with critical information, such as credentials or tokens…”
- [T1136] Create Account – Actors configured MFA/TOTP using the Virtual Office Portal when it was publicly accessible to establish or modify authentication for valid accounts. Quote: “…allows public access to the portal, which can allow threat actors to configure MFA/TOTP with valid accounts…”
- [T1210] Exploitation of Remote Services – Abuse of SSLVPN Default Users Group Security Risk to gain SSLVPN access irrespective of Active Directory settings. Quote: “…can over provision access to SonicWall’s SSLVPN services based on the Default LDAP group configurations…”
- [T1005] Data from Local System – Attackers accessed and stole sensitive files from network shares and file servers after gaining access. Quote: “…locating and stealing sensitive files from network shares or file servers…”
- [T1486] Data Encrypted for Impact – Deployment of ransomware encryption at the hypervisor level to impact business operations. Quote: “…deploying ransomware encryption at the hypervisor level.”
- [T1565] Stored Data Manipulation – Deleting or stopping backups to prevent recovery prior to ransomware deployment. Quote: “…deleting or stopping backups…”