cyberscoop.com

By
Matt Kapko

September 17, 2025

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files.

The company confirmed to CyberScoop that an unidentified cybercriminal accessed SonicWall’s customer portal through a series of brute-force attacks.

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.

The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”

While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.

This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices.

“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop.

“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added.

SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said.

“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added.

SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm.

Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”

SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.

Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said.

“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.

Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks.

Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.

https://www.sonicwall.com/support/
Updated
September 22, 2025

Description

SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days.

Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.

We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.

TIP: Learn more by watching this helpful video guide here
Affected Products:

SonicWall Firewalls with preference files backed up in MySonicWall.com

Due to the sensitivity of the configuration files, we highly encourage customers to take the following steps immediately:

Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls: 
    If fields are blank (Figure 1): You are NOT at risk.
    A screenshot of a computer AI-generated content may be incorrect.
    Figure 1 – Does Not Contain Backup

    If fields contain backup details (Figure 2): Please continue reading.
    Image
    Figure 2 – Contains Backups

Verify whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List, the affected serial numbers will be flagged with information such as Friendly Name, Last Download Date and Known Impacted Services.
Image

    If Serial Numbers are shown: the listed firewalls are at risk and should follow the containment and remediation guidelines: Essential Credential Reset
    NOTE: Impacted Services should be used for general guidance only.  The services listed were identified as being enabled and should be immediately reviewed.  ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT, OR BEFORE, THE TIME OF BACKUP SHOULD BE REVIEWED FOR EACH SERIAL NUMBER LISTED. 
    If you have used the Cloud Backup feature but no Serial Numbers are shown or only some of your registered Serial Numbers: 
            SonicWall will provide additional guidance in coming days to determine if your backup files were impacted.
            Please check back on this page for this additional information: MySonicWall Cloud Backup File Incident

Technical Containment and Mitigation Documentation can be found at:

Essential Credential Reset
Remediation Playbook

NOTE: Use the SonicWall Online Tool to identify services that require remediation. Follow the on-screen instructions to proceed. (UPE Mode is not supported.)

We have a dedicated support service team available to help you with any of these changes. If you need any assistance, please login to your MySonicWall account and open a case with our Support team. You can access your account at: https://www.mysonicwall.com/muir/login.
Change Log:

2025-9-17 4:40 AM PDT: Initial publish.
2025-9-17 2:45 PM PDT: Minor formatting update.
2025-9-17 8:45 PM PDT: Revised incident disclosure text to clarify scope (<5% of firewalls), encrypted credentials, no known leaks, and brute-force (not ransomware) attack.
2025-9-18  5:38 AM PDT: Changed formatting and provided detailed steps with screenshots.
2025-9-18  9:19 AM PDT: Updated guidance steps, navigation screenshots, and note clarifying review of impacted services.
2025-9-18 4:30 PM PDT: Updated KB text and image to clarify affected products, provide step-by-step backup verification instructions, and replace figures showing when backups are or are not present.
2025-9-19 1:15 PM PDT: No updates at this time.
2025-9-20 9:15 AM PDT: Added a Tip with a video guide and a Note linking to the SonicWall online tool for firewall configuration analysis and remediation guidance.
2025-9-22 8:20 AM PDT: No updates at this time.

bleepingcomputer.com - Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected.

Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online (part of Microsoft 365), allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes, including shared calendars, global address lists, and mail flow.

However, in hybrid Exchange deployments, on-prem Exchange Server and Exchange Online also share the same service principal, which is a shared identity used for authentication between the two

By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server.

Additionally, actions originating from on-premises Exchange don't always generate logs associated with malicious behavior in Microsoft 365; therefore, traditional cloud-based auditing (such as Microsoft Purview or M365 audit logs) may not capture security breaches if they originated on-premises.

"In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace," Microsoft said on Wednesday in a security advisory describing a high-severity privilege escalation vulnerability now tracked as CVE-2025-53786.

The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.

While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as "Exploitation More Likely" because its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, increasing its attractiveness to attackers.

SafetyDetectives’ Cybersecurity Team stumbled upon a clear web forum post where a threat actor publicized a database that allegedly belongs to VirtualMacOSX.com. The data purportedly belongs to 10,000 of its customers.
In a recent discovery, SafetyDetectives’ Cybersecurity Team stumbled upon a clear web forum post where a threat actor publicized a database that allegedly belongs to VirtualMacOSX.com. The data purportedly belongs to 10,000 of its customers.

What Is VirtualMacOSX.com?
According to its website, VirtualMacOSX serves 102 countries and has offered “Apple Macintosh cloud based computing since 2012. With the greatest range of cloud based Apple products and services available anywhere on the Web.”

Where Was The Data Found?
The data was found in a forum post available on the clear surface web. This well-known forum operates message boards dedicated to database downloads, leaks, cracks, and more.

What Was Leaked?
The author of the post included a 34-line sample of the database, the full database was set to be freely accessible to anyone with an account on the forum willing to either reply or like the post.

Our Cybersecurity Team analyzed a segment of the dataset to validate its authenticity. Although the data appeared genuine and we saw indicatives in invoices sent to VirtualMacOSX, we could not definitively confirm that the data belonged to VirtualMacOSX’s customers as, due to ethical considerations, we refrained from testing the exposed credentials.

The entire dataset consisted of 176,000 lines split across three separate .txt files named ‘tblcontacts,’ ‘tbltickets,’ and ‘tblclients.’

The sensitive information allegedly belonging to VirtualMacOSX’s customers included:

User ID
Full name
Company name
Email
Full physical address
Phone number
Password
Password reset key
We also saw customers’ financial data such as:

Bank name
Bank type
Bank code
Bank account
And User’s Support tickets containing:

User ID
IP Address
Full name
Email
Full Message
This type of data is critical as it might be employed by potential wrongdoers to plan and perform various types of attacks on the impacted clients.

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Le Cloud computing, devenu incontournable pour les secteurs public et privé, favorise la transformation numérique mais offre également de nouvelles opportunités d’attaques et problématiques de sécurité pour les organisations qui l’utilisent.

L'ANSSI observe une augmentation des attaques contre les environnements cloud. Ces campagnes d'attaques, menées à des fins lucratives, d'espionnage et de déstabilisation, affectent les fournisseurs de services cloud (Cloud Service Provider, CSP), en partie ciblés pour les accès qu’ils peuvent offrir vers leurs clients. Elles ciblent également les environnements de clients de services cloud, dont l'hybridation des systèmes d'information générée par l'usage du cloud, augmente la surface d'attaque.

In this new report, learn how threat actors are leveraging cloud services to target web services with ransomware attackers.

Private Cloud Compute is a cloud intelligence system that Apple designed for private artificial intelligence processing, and it's what Apple is...

A case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Learn more.

American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which…

A critical vulnerability in NVIDIA Container Toolkit impacts all AI applications in a cloud or on-premise environment that rely on it to access GPU resources.

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.

A cloud extortion campaign exploited misconfigured AWS .env files to target 110,000 domains, stealing credentials and ransoming cloud storage data.

We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations' AWS environments.

Aqua Nautilus researchers discovered a new variant of Gafgyt targeting machines with weak SSH passwords.

Secure and private AI processing in the cloud poses a formidable new challenge. To support advanced features of Apple Intelligence with larger foundation models, we created Private Cloud Compute (PCC), a groundbreaking cloud intelligence system designed specifically for private AI processing. Built with custom Apple silicon and a hardened operating system, Private Cloud Compute extends the industry-leading security and privacy of Apple devices into the cloud, making sure that personal user data sent to PCC isn’t accessible to anyone other than the user — not even to Apple. We believe Private Cloud Compute is the most advanced security architecture ever deployed for cloud AI compute at scale.

Microsoft's education-focused flavor of its cloud productivity suite, Microsoft 365 Education, is facing investigation in the European Union. Privacy

A previously discovered vulnerability affecting self-hosted Cisco Webex instances similarly affected the Webex cloud service.

Discover how SMS scammers are exploiting cloud storage to host scam websites with the intention of stealing sensitive information