SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data Leak
Summary
Hide ▲
Show ▼
SonicWall said a state-sponsored threat actor stole firewall configuration backup files from its MySonicWall cloud backup service in a September security breach. The exposed .EXP backups contained AES-256-encrypted credentials and configuration data, and SonicWall said the incident was isolated to an API call in a specific cloud environment. The company completed its investigation with Mandiant, notified impacted customers and partners, and said the breach was unrelated to Akira ransomware and did not impact SonicWall products or firmware.
Cases
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Timeline
-
29.01.2026 19:57 4 articles · 3mo ago
SonicWall discloses MySonicWall cloud backup breach
Initial DisclosureSonicWall disclosed a security breach in the MySonicWall online customer portal, told customers to reset account credentials, and said the incident affected about 5% of firewall customers using its cloud backup service.
Show sources
- Marquis blames ransomware breach on SonicWall cloud backup hack — www.bleepingcomputer.com — 29.01.2026 19:57
- Marquis blames ransomware breach on SonicWall cloud backup hack — www.bleepingcomputer.com — 29.01.2026 19:57
- SonicWall warns customers to reset credentials after breach — www.bleepingcomputer.com — 17.09.2025 19:23
- SonicWall Breached, Firewall Backup Data Exposed — www.darkreading.com — 18.09.2025 22:26
-
29.01.2026 19:57 3 articles · 3mo ago
Marquis ties downstream ransomware attack to SonicWall cloud backup breach
Attribution UpdateMarquis Software Solutions said a third-party investigation determined that the threat actor that attacked Marquis used configuration data extracted from SonicWall's cloud backup breach to bypass its firewall, and the company said it was evaluating recoupment options for response expenses.
Show sources
- Marquis blames ransomware breach on SonicWall cloud backup hack — www.bleepingcomputer.com — 29.01.2026 19:57
- Marquis sues SonicWall over backup breach that led to ransomware attack — www.bleepingcomputer.com — 25.02.2026 17:54
- State-Sponsored Hackers Stole SonicWall Cloud Backups in Recent Attack — www.securityweek.com — 06.11.2025 11:51
-
09.10.2025 17:13 2 articles · 7mo ago
SonicWall says all cloud backup customers affected
Victim Impact UpdateSonicWall said all customers who used its cloud backup service were affected by a recent MySonicWall security incident, after completing an investigation with Mandiant. The exposed .EXP firewall configuration backup files stored in MySonicWall accounts contain AES-256-encrypted credentials and configuration data, and SonicWall warned that access to those files could make firewall exploitation significantly easier.
Show sources
- SonicWall: Firewall configs stolen for all cloud backup customers — www.bleepingcomputer.com — 09.10.2025 17:13
- Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts — thehackernews.com — 11.10.2025 16:30