Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach, Cyber Attack and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $16.02 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with updated security advisory and revised cvss score, and third party assistance with google threat intelligence group (gtig), mandiant, sonicwall’s product security incident response team (psirt), and containment measures with disable sonicwall ssl vpn service, and remediation measures with enable botnet protection, remediation measures with enforce mfa on all remote access accounts, remediation measures with practice good password hygiene, remediation measures with remove inactive or unused local user accounts, remediation measures with block vpn authentication attempts from specific asns, and and third party assistance with rapid7, third party assistance with threatlocker, third party assistance with arctic wolf, and containment measures with patching cve-2024-40766, containment measures with credential rotation, containment measures with upgrading to sonicos 7.3.0, and remediation measures with enforcing mfa for sonicwall services, remediation measures with restricting virtual office portal access to internal networks, remediation measures with disabling default ldap group configurations, and communication strategy with sonicwall public advisory (snlwid-2024-0015), communication strategy with rapid7 customer notifications, communication strategy with media alerts via the register, and incident response plan activated with recommended (not specified per victim), and third party assistance with arctic wolf (research), third party assistance with rapid7 (research), and containment measures with reset all sonicwall credentials (ssl vpn, otp mfa secrets, ldap sync accounts), containment measures with block logins from vps hosting providers, containment measures with disable virtual office portal if unused, and remediation measures with patch cve-2024-40766 (if unpatched), remediation measures with rotate all credentials with ssl vpn access, remediation measures with review ldap group mappings, remediation measures with implement network segmentation, and recovery measures with restore from offline backups (if available), recovery measures with rebuild domain controllers, recovery measures with reimage compromised systems, and network segmentation with recommended, and enhanced monitoring with anomalous smb activity (impacket), enhanced monitoring with ldap discovery activity, enhanced monitoring with execution of network scanning/archival tools (winrar, rclone), enhanced monitoring with logins from vps providers, and and third party assistance with cybersecurity experts, and and containment measures with blocked attackers' access to mysonicwall backups, and remediation measures with customers urged to reset credentials, remediation measures with import new preference files (disrupts vpns, totp, and user access), remediation measures with manual credential reset for customers unable to import new files, remediation measures with reconfiguration of vpn pre-shared keys, and recovery measures with guidance provided for manual remediation if new preference files cannot be imported, and communication strategy with public advisory issued (2025-09-18), communication strategy with customers notified via mysonicwall accounts (flagged serial numbers for affected devices), communication strategy with detailed remediation steps provided, and and third party assistance with independent investigation, third party assistance with external forensics review, and containment measures with disabled cloud backup service, containment measures with deleted compromised backups, and remediation measures with hardened infrastructure, remediation measures with additional logging, remediation measures with stronger authentication controls, and recovery measures with customers advised to recreate backups locally, and communication strategy with public disclosure updates, communication strategy with customer advisories to rotate credentials and delete backups, and and and containment measures with urged customers to delete existing cloud backups, containment measures with encouraged credential rotation and secret rotation, containment measures with recommended recreating backups locally, and remediation measures with released tools to assist with device assessment and remediation, and communication strategy with public notification via advisory, communication strategy with direct notification to impacted partners and customers, and and third party assistance with mandiant, and containment measures with disclosure of full scope, containment measures with urgent customer advisories, and remediation measures with credential resets, remediation measures with encryption key regeneration, remediation measures with firmware updates, remediation measures with anomaly monitoring, and recovery measures with forensic audits recommended, recovery measures with configuration reviews, and communication strategy with public advisory (october 8), communication strategy with collaboration with cybersecurity media (dark reading, the register, etc.), and enhanced monitoring with recommended for all customers, and and third party assistance with huntress security researchers, and containment measures with restrict wan management access, containment measures with disable http/s, ssh, and ssl vpn services, containment measures with reset all credentials (local admin, vpn keys, ldap, snmp, api secrets), containment measures with enable enhanced logging, and remediation measures with gradual service restoration post-credential reset, remediation measures with enforce multi-factor authentication (mfa) for all admin/remote users, remediation measures with limit management privileges, remediation measures with monitor for suspicious logins/configuration changes, and recovery measures with continuous monitoring, recovery measures with configuration audits, and communication strategy with sonicwall advisory via mysonicwall.com, communication strategy with urgent customer notifications, communication strategy with collaboration with security partners (e.g., huntress), and and incident response plan activated with yes (by sonicwall and affected organizations), and third party assistance with huntress security researchers, third party assistance with partner collaborations, and containment measures with restrict wan management access, containment measures with disable http/s, ssh, and ssl vpn services temporarily, containment measures with reset all credentials (local admin, vpn pre-shared keys, ldap, snmp, api/ddns secrets), containment measures with enable enhanced logging for suspicious activity, and remediation measures with gradual service restoration post-credential reset, remediation measures with enforce multi-factor authentication (mfa) for all admin/remote users, remediation measures with limit management privileges, remediation measures with continuous monitoring for anomalies, and communication strategy with sonicwall advisory via mysonicwall.com, communication strategy with urgent customer notifications, communication strategy with public disclosure (via huntress and security media), and enhanced monitoring with mandated for all affected systems, and and third party assistance with mandiant (incident response investigation), and containment measures with isolation of compromised cloud environment, containment measures with api access restrictions, and remediation measures with customer advisory to reset credentials (mysonicwall accounts, ldap/radius/tacacs+, vpn secrets), and communication strategy with public disclosure (2023-09-17), communication strategy with update on investigation completion (2023-10-09), communication strategy with assurance of product safety, and incident response plan activated with likely (beazley insurance clients), and third party assistance with beazley security labs, third party assistance with cybersecurity vendors (e.g., sonicwall, microsoft), and containment measures with temporary mitigations for zero-days, containment measures with network access lockdowns, containment measures with credential rotation (for vpns), and remediation measures with patch management for zero-days (cve-2025-*), remediation measures with mfa enforcement for vpns, remediation measures with access control hardening (lockout policies), and communication strategy with beazley security advisories, communication strategy with vendor security bulletins (e.g., sonicwall, microsoft), and network segmentation with recommended (for critically vulnerable devices), and enhanced monitoring with recommended (for zero-day exploits), and incident response plan activated with yes (beazley security incident response), and third party assistance with beazley security (insurance/cybersecurity arm), and containment measures with mfa enforcement for remote access, containment measures with dark web monitoring for leaked credentials, containment measures with patching critical vulnerabilities (cisco/citrix), containment measures with compensating controls for mfa-exempt accounts, and remediation measures with credential rotation for compromised accounts, remediation measures with lockout policy enhancements (sonicwall), remediation measures with vpn/rdp hardening, and communication strategy with public report by beazley security, and enhanced monitoring with dark web monitoring for credentials..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Unknown, SonicWall SSL VPN, CVE-2024-40766 exploitationSSLVPN misconfigurationslegacy credentialsVirtual Office portal public access, SonicWall SSL VPN (via CVE-2024-40766 or stolen credentials)Misconfigured SSLVPN Default Users GroupVirtual Office Portal (OTP MFA bypass), MySonicWall cloud backup service, Unauthorized access to cloud storage environment, MySonicWall Cloud Service (via brute-force attack), MySonicWall PortalCloud Backup Service, SonicWall SSL VPN DevicesExposed Credentials in Backup Files, SonicWall SSL VPN (Via Exposed Credentials)Potential Exploitation of Leaked Firewall Backups, Unauthorized API call to cloud backup environment, Compromised VPN Credentials (48%)External Service Exploits (23%) and VPN Credentials (48%)RDP (6%)External Services (24%)SEO Poisoning (Rhysida).

Average Financial Loss: The average financial loss per incident is $942.35 thousand.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Sensitive credentials, persist.db database, certificate files, Sensitive Corporate Data, Potentially Pii, Virtual Machine Storage, Backup Data, , Firewall Preference Files (Configuration Details And Encrypted Credentials), , Firewall Configuration Files, Network Settings, Policies, Certificates, , Firewall Configuration Files, Network Rules, Access Policies, Vpn Configurations, Service Credentials (Ldap, Radius, Snmp), Admin Usernames And Passwords (If Stored In Config), , Firewall Configuration Backups, Encrypted Credentials, Network Topology Data, Vpn Settings, Access Control Rules, , Firewall Configuration Backups, Encrypted Credentials, Network Access Credentials, , Firewall Configuration Backups (Encrypted), Credentials (Potential), Network Topology Data, , Firewall Configuration Files, Authentication Credentials, Encryption Tokens, , Vpn Credentials, Corporate Data (Ransomware), Potential Pii (Infostealers), , Configuration Backups (Sonicwall Cloud), Potential Pii/Enterprise Data (Ransomware) and .

Incident Response Plan: The company's incident response plan is described as Recommended (not specified per victim), , , , , , Yes (By SonicWall and Affected Organizations), , Likely (Beazley Insurance Clients), Yes (Beazley Security Incident Response).

Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GTIG), Mandiant, SonicWall’s Product Security Incident Response Team (PSIRT), Rapid7, ThreatLocker, Arctic Wolf, , Arctic Wolf (research), Rapid7 (research), , Cybersecurity experts, , Independent Investigation, External Forensics Review, , Mandiant, , Huntress Security Researchers, , Huntress Security Researchers, Partner Collaborations, , Mandiant (incident response investigation), , Beazley Security Labs, Cybersecurity Vendors (e.g., SonicWall, Microsoft), , Beazley Security (Insurance/Cybersecurity Arm), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Enable Botnet Protection, Enforce MFA on all remote access accounts, Practice good password hygiene, Remove inactive or unused local user accounts, Block VPN authentication attempts from specific ASNs, , enforcing MFA for SonicWall services, restricting Virtual Office portal access to internal networks, disabling default LDAP group configurations, , Patch CVE-2024-40766 (if unpatched), Rotate all credentials with SSL VPN access, Review LDAP group mappings, Implement network segmentation, , Customers urged to reset credentials, Import new preference files (disrupts VPNs, TOTP, and user access), Manual credential reset for customers unable to import new files, Reconfiguration of VPN pre-shared keys, , Hardened infrastructure, Additional logging, Stronger authentication controls, , Released tools to assist with device assessment and remediation, , Credential Resets, Encryption Key Regeneration, Firmware Updates, Anomaly Monitoring, , Gradual Service Restoration Post-Credential Reset, Enforce Multi-Factor Authentication (MFA) for All Admin/Remote Users, Limit Management Privileges, Monitor for Suspicious Logins/Configuration Changes, , Gradual Service Restoration Post-Credential Reset, Enforce Multi-Factor Authentication (MFA) for All Admin/Remote Users, Limit Management Privileges, Continuous Monitoring for Anomalies, , Customer advisory to reset credentials (MySonicWall accounts, LDAP/RADIUS/TACACS+, VPN secrets), , Patch Management for Zero-Days (CVE-2025-*), MFA Enforcement for VPNs, Access Control Hardening (Lockout Policies), , Credential Rotation for Compromised Accounts, Lockout Policy Enhancements (SonicWall), VPN/RDP Hardening, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by disable sonicwall ssl vpn service, patching cve-2024-40766, credential rotation, upgrading to sonicos 7.3.0, , reset all sonicwall credentials (ssl vpn, otp mfa secrets, ldap sync accounts), block logins from vps hosting providers, disable virtual office portal if unused, , blocked attackers' access to mysonicwall backups, , disabled cloud backup service, deleted compromised backups, , urged customers to delete existing cloud backups, encouraged credential rotation and secret rotation, recommended recreating backups locally, , disclosure of full scope, urgent customer advisories, , restrict wan management access, disable http/s, ssh, and ssl vpn services, reset all credentials (local admin, vpn keys, ldap, snmp, api secrets), enable enhanced logging, , restrict wan management access, disable http/s, ssh, and ssl vpn services temporarily, reset all credentials (local admin, vpn pre-shared keys, ldap, snmp, api/ddns secrets), enable enhanced logging for suspicious activity, , isolation of compromised cloud environment, api access restrictions, , temporary mitigations for zero-days, network access lockdowns, credential rotation (for vpns), , mfa enforcement for remote access, dark web monitoring for leaked credentials, patching critical vulnerabilities (cisco/citrix), compensating controls for mfa-exempt accounts and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Restore from offline backups (if available), Rebuild Domain Controllers, Reimage compromised systems, , Guidance provided for manual remediation if new preference files cannot be imported, , Customers advised to recreate backups locally, , Forensic Audits Recommended, Configuration Reviews, , Continuous Monitoring, Configuration Audits, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Possible Lawsuits from Affected Customers, Potential Regulatory Probes, .

Key Lessons Learned: The key lessons learned from past incidents are Importance of disabling potentially vulnerable services and hardening firewall securityLegacy credentials and misconfigurations (e.g., default LDAP groups, public Virtual Office portal access) significantly increase risk even after patching. Rapid encryption (<10 hours) underscores the need for immediate mitigation. MFA and network access restrictions are critical supplementary controls.Credential rotation is critical even after patching (attackers reuse old credentials),MFA bypass techniques (e.g., Virtual Office Portal abuse) require additional controls,Rapid attack timelines (<4 hours) necessitate real-time detection capabilities,Default configurations (e.g., SSLVPN Default Users Group) can introduce risk,LDAP-synchronized accounts require strict access reviewsInitial impact assessment was inaccurate (underestimated scope from 5% to 100% of users).,Cloud-stored firewall configurations are high-value targets for threat actors.,Need for stronger access controls and monitoring of cloud backup environments.,Importance of transparent communication during incident response.Underestimation of incident scale can erode trust; transparency is critical. Weak authentication mechanisms in cloud services pose significant risks. Firewall configuration files are high-value targets for threat actors seeking insider knowledge for targeted attacks.Cloud backup services can become high-value targets if not properly secured.,Initial breach assessments may underestimate scope; thorough investigations are critical.,Multi-factor authentication and rate-limiting are essential for preventing brute-force attacks.,Vendor transparency is crucial for maintaining customer trust during incidents.,Supply-chain risks require diversified security stacks and zero-trust architectures.Exposed credentials in backup files create systemic risk even if encrypted.,Rapid, coordinated attacks underscore the need for real-time monitoring and credential hygiene.,Vendor disclosures must be transparent about scope to prevent underestimation of threats.,MFA and least-privilege access are critical for mitigating VPN-based intrusions.Exposed Credentials Pose Significant Risk Even Without Brute-Force Attacks,Cloud Backup Services Must Implement Stricter Access Controls,Rapid Credential Rotation and MFA Are Critical for Mitigating VPN-Based Intrusions,Configuration Backups, Even Encrypted, Can Be Exploited for Targeted AttacksIsolation of cloud environments and API security are critical to preventing lateral movement. Proactive credential rotation advisories can mitigate downstream risks from exposed configuration files.Credential stuffing and weak MFA policies are primary attack vectors for ransomware groups.,Zero-day exploits require continuous vulnerability management and proactive mitigations.,Infostealers (e.g., Rhadamanthys) fuel credential-based attacks, necessitating monitoring of cybercrime markets.,Exposed, unpatched devices should be assumed compromised and investigated.MFA is critical for VPN/RDP access but must be universally applied (no exceptions).,Dark web monitoring for leaked credentials can preempt attacks.,Unpatched enterprise appliances (SonicWall/Cisco/Citrix) are high-value targets.,SEO poisoning and malicious ads bypass traditional email filters, requiring endpoint protection.,Credential stuffing/brute force attacks exploit weak lockout policies and password hygiene.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Category: Detection, , Disable Unnecessary External Management Interfaces (HTTP/S, SSH), Organizations with SMA appliances are recommended to check the devices for potential compromise by acquiring disk images, which should prevent interference from the rootkit. GTIG provides a set of indicators of compromise along with the signs analysts should look for to determine if the device was hacked., Monitor for Unusual Authentication Patterns or Network Scans, Conduct Forensic Analysis to Detect Lateral Movement, Review and Harden Firewall Configuration Backups, Assume breach for internet-exposed, vulnerable devices and conduct thorough investigations., Immediate Credential Reset for All SonicWall SSL VPN Users, Implement Zero Trust Principles for VPN Access, Category: Response, , Implement comprehensive MFA and conditional access policies for VPNs/remote access., Monitor dark web for stolen credentials and proactively rotate compromised accounts., Adopt continuous vulnerability management with prioritized patching for critical CVEs., Segment networks to limit lateral movement in case of ransomware infections., Enforce strong lockout policies and password hygiene to mitigate credential stuffing., Enforce MFA for All Administrative and Remote Access, Deploy behavioral WAFs and anomaly detection for zero-day exploit prevention., Category: Prevention and .

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: SonicWall Capture Labs, and Source: SonicWall 2024 Cyber Threat Report, and Source: SonicWall Cyber Threat Report, and Source: Arctic Wolf, and Source: Federal agencies, and Source: Google Threat Intelligence Group (GTIG), and Source: Arctic Wolf Labs, and Source: The RegisterDate Accessed: 2025-08-07, and Source: Rapid7 AdvisoryDate Accessed: 2025-08-07, and Source: SonicWall Public Advisory (SNLWID-2024-0015)Date Accessed: 2024-08-01, and Source: Bitsight Research (Emma Stevens)Date Accessed: 2025-08-07, and Source: ThreatLocker/Arctic Wolf AlertsDate Accessed: 2025-07-22, and Source: Arctic Wolf ResearchDate Accessed: 2025-07, and Source: Rapid7 AnalysisDate Accessed: 2025-07, and Source: SonicWall Security Advisory (CVE-2024-40766)Date Accessed: 2024-08, and Source: SecurityAffairsUrl: https://securityaffairs.com/Date Accessed: 2025-09-18, and Source: The Register, and Source: SonicWall Official Statement (September 2023), and Source: Arctic Wolf Threat Intelligence Analysis, and Source: The Register, and Source: TechRadar ProUrl: https://www.techradar.com, and Source: Dark ReadingUrl: https://www.darkreading.com, and Source: The RegisterUrl: https://www.theregister.com, and Source: CSO OnlineUrl: https://www.csoonline.com, and Source: The Hacker NewsUrl: https://thehackernews.com, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com, and Source: Arctic WolfUrl: https://arcticwolf.com, and Source: Huntress Security Research, and Source: SonicWall Advisory (MySonicWall.com)Url: https://www.mysonicwall.com, and Source: Huntress Security Research, and Source: SonicWall Advisory (MySonicWall.com), and Source: SonicWall Official Statement (September 17, 2023), and Source: SonicWall Update (October 9, 2023), and Source: Huntress Report on SonicWall SSLVPN Attacks (October 13, 2023), and Source: Beazley Security Q3 2025 Report, and Source: SonicWall SSL VPN Attacks Escalate, Bypassing MFA, and Source: NIST CVE Database (CVE-2025-53770, CVE-2025-54309, etc.)Url: https://nvd.nist.gov/, and Source: Beazley Security Q3 2024 Ransomware ReportDate Accessed: 2024-10-01.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Updated security advisory and revised CVSS score, Sonicwall Public Advisory (Snlwid-2024-0015), Rapid7 Customer Notifications, Media Alerts Via The Register, Public Advisory Issued (2025-09-18), Customers Notified Via Mysonicwall Accounts (Flagged Serial Numbers For Affected Devices), Detailed Remediation Steps Provided, Public Disclosure Updates, Customer Advisories To Rotate Credentials And Delete Backups, Public Notification Via Advisory, Direct Notification To Impacted Partners And Customers, Public Advisory (October 8), Collaboration With Cybersecurity Media (Dark Reading, The Register, Etc.), Sonicwall Advisory Via Mysonicwall.Com, Urgent Customer Notifications, Collaboration With Security Partners (E.G., Huntress), Sonicwall Advisory Via Mysonicwall.Com, Urgent Customer Notifications, Public Disclosure (Via Huntress And Security Media), Public Disclosure (2023-09-17), Update On Investigation Completion (2023-10-09), Assurance Of Product Safety, Beazley Security Advisories, Vendor Security Bulletins (E.G., Sonicwall, Microsoft) and Public Report By Beazley Security.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Sonicwall Updated Mitigation Guidance, Rapid7 Customer Notifications, Patch Immediately, Enable Mfa, Restrict Virtual Office Portal Access, , Reset All Sonicwall Credentials (Including Ldap-Synchronized Accounts), Review Mfa Configurations For Otp Vulnerabilities, Audit Ssl Vpn Access Logs For Anomalous Activity, Organizations Using Sonicwall Gen 6/7 Firewalls Should Assume Credential Compromise If Cve-2024-40766 Was Unpatched Pre-August 2024, Monitor For Signs Of Akira Ransomware (E.G., .Akira Extensions, Ransom Notes), Prepare For Potential Data Breach Notifications If Exfiltration Occurred, , Customers Advised To Check Mysonicwall Accounts For Flagged Serial Numbers And Follow Remediation Steps, Reset Credentials Immediately If Cloud Backups Are Enabled, Import New Preference Files (With Awareness Of Vpn/Totp Disruptions), Reconfigure Vpn Pre-Shared Keys And Totp Post-Import, Follow Manual Remediation Guidance If Unable To Import New Files, , Customers Advised To Delete Cloud Backups, Change Mysonicwall Credentials, Rotate Shared Secrets/Passwords, And Recreate Backups Locally., Treat Incident Seriously Despite No Evidence Of Compromise To Production Firewalls Or Customer-Hosted Systems., , Sonicwall Notified All Impacted Partners And Customers With Remediation Guidance., Delete Existing Cloud Backups, Change Credentials, Rotate Shared Secrets, And Recreate Configurations Locally., , Urgent Customer Notifications, Public Disclosure (October 8 Update), Reset All Credentials Associated With Mysonicwall Portal., Regenerate Encryption Keys For Firewall Backups., Update Firmware To The Latest Secure Versions., Monitor Networks For Anomalous Activity., Conduct Forensic Audits Of Firewall Configurations., Review And Harden Vpn And Access Control Settings., , Sonicwall Urgent Customer Advisory, Huntress Threat Briefing For Partners, Check Device Status Via Mysonicwall.Com, Follow Immediate Protection Steps (Credential Resets, Service Restrictions)., , Sonicwall Urgent Customer Advisory, Huntress Threat Briefing, General Cybersecurity Alerts (E.G., Cisa, Industry Forums), Check Device Status Via Mysonicwall.Com, Follow Immediate Mitigation Steps (Credential Resets, Service Disabling), Enable Mfa And Enhanced Logging, Report Suspicious Activity To Sonicwall Support, , Customers advised to reset credentials for MySonicWall accounts, LDAP/RADIUS/TACACS+ servers, and VPN interfaces., Immediate credential rotation recommended for all potentially exposed secrets., Beazley Security Advisories, Vendor Patches/Workarounds (Sonicwall, Microsoft, Etc.), Urgent Patching Notices, Mfa Enforcement Guidelines, , Beazley Security Report (Public), Sonicwall (Cloud Breach Notification) and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Threat Intelligence Group (GTIG), Mandiant, SonicWall’s Product Security Incident Response Team (PSIRT), Rapid7, Threatlocker, Arctic Wolf, , Arctic Wolf (Research), Rapid7 (Research), , Anomalous Smb Activity (Impacket), Ldap Discovery Activity, Execution Of Network Scanning/Archival Tools (Winrar, Rclone), Logins From Vps Providers, , Cybersecurity Experts, , Independent Investigation, External Forensics Review, , , Mandiant, , Recommended For All Customers, , Huntress Security Researchers, , , Huntress Security Researchers, Partner Collaborations, , Mandated for All Affected Systems, Mandiant (Incident Response Investigation), , Beazley Security Labs, Cybersecurity Vendors (E.G., Sonicwall, Microsoft), , Recommended (for Zero-Day Exploits), Beazley Security (Insurance/Cybersecurity Arm), , Dark Web Monitoring For Credentials, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Disable SonicWall SSL VPN service, enable security services, enforce MFA, practice good password hygiene, remove inactive user accounts, block suspicious VPN authentication attempts, Mandatory Patching With Verification, Mfa Enforcement For All Sonicwall Services, Network Segmentation For Vpn Portals, Credential Hygiene Audits, Dark Web Monitoring For Exposed Credentials, , Mandate Credential Rotation After Critical Vulnerability Patches, Audit All Ldap Group Mappings To Sensitive Services, Implement Behavioral Detection For Impacket/Rclone Usage, Segment Networks To Limit Domain Controller Exposure, Deploy Application Control To Block Unauthorized Remote Tools, , Hardened Infrastructure With Additional Logging., Implemented Stronger Authentication Controls., Disabled Vulnerable Cloud Backup Service., Advised Customers On Mitigation Steps (Credential Rotation, Local Backups)., , Enhanced Authentication For Cloud Services., Improved Incident Communication Protocols., Development Of Tools For Customer Remediation., , Collaboration With Mandiant For Forensic Analysis., Public Disclosure Revision To Reflect Full Scope., Recommendations For Customer Remediation (Credential Resets, Key Regeneration)., Emphasis On Diversifying Security Stacks And Zero-Trust Adoption., , Sonicwall: Secure Backup Files By Redacting/Encrypting Credentials Separately., Customers: Implement Zero-Trust Principles (Mfa, Least Privilege, Segmentation)., Enhance Logging And Anomaly Detection For Vpn/Authentication Systems., Regular Credential Rotation And Audits For Network Devices., , Sonicwall To Enhance Cloud Backup Security (E.G., Additional Encryption, Access Controls), Mandatory Mfa For All Sonicwall Product Access, Automated Alerts For Unusual Authentication Patterns, Regular Credential Rotation Policies For Customers, Third-Party Audits Of Sonicwall’S Security Practices, , Api Security Enhancements, Customer Credential Reset Advisory, , Mandatory Mfa For All Remote Access (Vpn, Rdp)., Automated Vulnerability Scanning And Patch Prioritization., Dark Web Monitoring For Credential Leaks., Network Segmentation And Micro-Segmentation For Critical Assets., Incident Response Playbooks Updated For Ransomware/Zero-Day Scenarios., , Mandate Mfa For All Remote Access., Enforce Password Complexity And Lockout Policies., Prioritize Patching For Internet-Facing Appliances., Deploy Dark Web Monitoring For Credential Leaks., Train Users On Seo Poisoning And Social Engineering Risks., .

Last Attacking Group: The attacking group in the last incident were an UNC6148, Akira Ransomware Group, Akira ransomware gangFog ransomware gang, Name: Akira ransomware affiliatesAttribution Confidence: HighMotivation: ['financial gain', 'opportunistic']Sophistication Level: Moderate to High, Unnamed Threat Actors, State-sponsored threat actor, Akira RansomwareQilin RansomwareINC RansomwareRhadamanthys Infostealer and AkiraQilinINC RansomwareRhysidaUnnamed Sophisticated Threat Actor (Cisco Exploits).

Most Recent Incident Detected: The most recent incident detected was on 2025-07-15.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-10-01T00:00:00Z.

Highest Financial Loss: The highest financial loss from an incident was $5.34 million.

Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive credentials, persist.db database, certificate files, Yes (exfiltrated prior to encryption), Firewall preference files (encrypted credentials and configuration details), , Firewall Configuration Files, Network Policies, User/Group/Domain Settings, DNS and Log Settings, Certificates, , Firewall Configuration Files (Network Rules, Access Policies, VPN Configurations), Service Credentials (LDAP, RADIUS, SNMP), Admin Usernames and Passwords (if stored in config), , Firewall Configuration Backups, Encrypted Credentials, Network Settings, VPN Configurations, Access Controls, , Firewall Configuration Data, Credentials (Local Windows Accounts, VPN Pre-Shared Keys, LDAP, SNMP, API Secrets), , Firewall Configuration Data, Credentials (Potential), Network Access, , Firewall configuration backup files, Access credentials, Tokens, LDAP/RADIUS/TACACS+ passwords, VPN shared secrets, , VPN Credentials, Corporate Data (via Ransomware), Potential PII (via Infostealers), , Sensitive Configuration Backups (SonicWall Cloud Breach), Potential PII/Enterprise Data (via Ransomware) and .

Most Significant System Affected: The most significant system affected in an incident was Domain Controllersvirtual machine storagebackup systemsendpoints with RMM/EDR tools and SonicWall Firewalls with MySonicWall cloud backups enabled and MySonicWall Cloud Backup Service and MySonicWall Cloud Backup Service and MySonicWall PortalCloud Backup Service and SonicWall SSL VPN DevicesCompromised Customer Networks and SonicWall SSL VPN DevicesLocal Windows Accounts (Attempted Access)Firewall Configurations and MySonicWall cloud backup service and SonicWall SSLVPN AppliancesMicrosoft SharePointCrushFTP ServersCisco ASA VPNCitrix NetScaler and SonicWall VPN DevicesCisco ASA VPN AppliancesCitrix NetScaler GatewaysEnterprise Endpoints (via SEO Poisoning).

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Google Threat Intelligence Group (GTIG), Mandiant, SonicWall’s Product Security Incident Response Team (PSIRT), rapid7, threatlocker, arctic wolf, , arctic wolf (research), rapid7 (research), , cybersecurity experts, , independent investigation, external forensics review, , mandiant, , huntress security researchers, , huntress security researchers, partner collaborations, , mandiant (incident response investigation), , beazley security labs, cybersecurity vendors (e.g., sonicwall, microsoft), , beazley security (insurance/cybersecurity arm), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Disable SonicWall SSL VPN service, patching CVE-2024-40766credential rotationupgrading to SonicOS 7.3.0, Reset all SonicWall credentials (SSL VPN, OTP MFA secrets, LDAP sync accounts)Block logins from VPS hosting providersDisable Virtual Office Portal if unused, Blocked attackers' access to MySonicWall backups, Disabled cloud backup serviceDeleted compromised backups, Urged customers to delete existing cloud backupsEncouraged credential rotation and secret rotationRecommended recreating backups locally, Disclosure of Full ScopeUrgent Customer Advisories, Restrict WAN Management AccessDisable HTTP/S, SSH, and SSL VPN ServicesReset All Credentials (Local Admin, VPN Keys, LDAP, SNMP, API Secrets)Enable Enhanced Logging, Restrict WAN Management AccessDisable HTTP/S, SSH, and SSL VPN Services TemporarilyReset All Credentials (Local Admin, VPN Pre-Shared Keys, LDAP, SNMP, API/DDNS Secrets)Enable Enhanced Logging for Suspicious Activity, Isolation of compromised cloud environmentAPI access restrictions, Temporary Mitigations for Zero-DaysNetwork Access LockdownsCredential Rotation (for VPNs) and MFA Enforcement for Remote AccessDark Web Monitoring for Leaked CredentialsPatching Critical Vulnerabilities (Cisco/Citrix)Compensating Controls for MFA-Exempt Accounts.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Tokens, Potential PII/Enterprise Data (via Ransomware), Network Settings, Access Controls, LDAP/RADIUS/TACACS+ passwords, Sensitive Configuration Backups (SonicWall Cloud Breach), Firewall preference files (encrypted credentials and configuration details), Firewall Configuration Files (Network Rules, Access Policies, VPN Configurations), Firewall Configuration Data, Firewall configuration backup files, Potential PII (via Infostealers), Network Policies, Yes (exfiltrated prior to encryption), VPN Credentials, Credentials (Potential), Network Access, Firewall Configuration Backups, Credentials (Local Windows Accounts, VPN Pre-Shared Keys, LDAP, SNMP, API Secrets), Corporate Data (via Ransomware), Service Credentials (LDAP, RADIUS, SNMP), User/Group/Domain Settings, VPN Configurations, Certificates, Access credentials, Admin Usernames and Passwords (if stored in config), Firewall Configuration Files, Encrypted Credentials, VPN shared secrets, DNS and Log Settings, Sensitive credentials, persist.db database and certificate files.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 105.0.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Possible Lawsuits from Affected Customers, Potential Regulatory Probes, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Credential stuffing/brute force attacks exploit weak lockout policies and password hygiene.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Upgrade to SonicOS 7.3.0 with enhanced MFA protections, Enable multi-factor authentication (MFA) for MySonicWall accounts, Diversify security vendors to reduce dependency on single providers., Restrict WAN management access and disable unnecessary services (HTTP/S, SSH)., Apply patches promptly for critical vulnerabilities (e.g., Cisco/Citrix)., Monitor for Unusual Authentication Patterns or Network Scans, Enforce MFA for all remote access solutions (VPN, RDP, etc.) without exceptions., Audit firewall configurations for unauthorized changes or backdoors., Isolate affected devices until fully remediated., Implement multi-factor authentication (MFA) and least-privilege access for cloud services., Monitor for unusual access patterns or brute-force attempts on cloud services., Adopt zero-trust architectures to mitigate single-vendor risks., Audit and remove default/weak credentials from enterprise appliances., Implement multi-factor authentication (MFA) for cloud services, especially those storing sensitive configurations., Implement Zero Trust Principles for VPN Access, Adopt continuous vulnerability management with prioritized patching for critical CVEs., Review and Harden Firewall Configuration Backups, Category: Prevention, , Monitor for anomalous VPN logins (e.g., via Rapid7/Arctic Wolf), Proactive and comprehensive approach to cybersecurity, Educate customers on secure backup practices, including local storage of sensitive configurations., Regularly audit and rotate credentials and secrets stored in firewall configurations., Regularly audit and rotate credentials, shared secrets, and certificates., Enforce MFA for All Administrative and Remote Access, Implement dark web monitoring for leaked credentials., Enhance API security controls for cloud services storing sensitive data., Educate users on SEO poisoning risks (e.g., fake productivity tools)., Engage third-party security firms for incident response and forensic analysis., Segment networks to limit lateral movement post-compromise., Assume breach for internet-exposed, vulnerable devices and conduct thorough investigations., Regularly audit and rotate credentials stored in configuration files., Category: Response, , Segment cloud environments to limit blast radius of breaches., Monitor for unusual access patterns in cloud storage environments., Enhance anomaly detection and monitoring for brute-force attempts., Practice good password hygiene, Immediate Credential Reset for All SonicWall SSL VPN Users, Monitor dark web for stolen credentials and proactively rotate compromised accounts., Prepare for follow-on attacks leveraging exfiltrated configuration data., Enable MFA for all administrative and remote access accounts., Enforce strong lockout policies and password hygiene to mitigate credential stuffing., Restrict Virtual Office portal access to internal networks only, Organizations with SMA appliances are recommended to check the devices for potential compromise by acquiring disk images, which should prevent interference from the rootkit. GTIG provides a set of indicators of compromise along with the signs analysts should look for to determine if the device was hacked., Monitor for unauthorized API calls and anomalous access patterns., Real-time threat intelligence, Conduct third-party security assessments for cloud backup solutions., Strengthen lockout policies to thwart brute force attacks., Conduct third-party audits of cloud backup infrastructures., Disable SonicWall SSL VPN service, Implement comprehensive MFA and conditional access policies for VPNs/remote access., Monitor for suspicious activity in firewall preference files, Remove inactive or unused local user accounts, Monitor for lateral movement or follow-on attacks using compromised credentials., Disable default LDAP group configurations to prevent over-provisioning, Enable Botnet Protection, Deploy behavioral WAFs and anomaly detection for zero-day exploit prevention., Avoid storing plaintext or weakly encrypted credentials in configuration backups., Disable Unnecessary External Management Interfaces (HTTP/S, SSH), Segment networks to limit lateral movement in case of ransomware infections., Apply SonicWall patches for CVE-2024-40766 immediately, Regularly audit cloud backup configurations, Heightened cybersecurity vigilance, Schedule remediation during low-activity periods to minimize downtime, Assume compromise if unpatched; conduct thorough incident response, Rotate legacy credentials, especially during Gen 6→Gen 7 firewall migrations, Implement multi-factor authentication (MFA) for cloud backup access., Enforce MFA on all remote access accounts, Review compliance with GDPR, NIST, and other relevant standards., Conduct Forensic Analysis to Detect Lateral Movement, Category: Detection, , Block VPN authentication attempts from specific ASNs, Implement MFA and rate-limiting for all cloud services., Robust defense mechanisms, Immediately reset all credentials linked to SonicWall devices (VPN, admin, API, etc.)., Conduct periodic credential rotation for firewall administrators, Avoid storing sensitive configuration files in cloud backups unless absolutely necessary., Regenerate encryption keys and update firmware post-breach., Conduct a thorough review of backup security practices (e.g. and encryption of sensitive fields)..

Most Recent Source: The most recent source of information about an incident are SonicWall SSL VPN Attacks Escalate, Bypassing MFA, Huntress Security Research, Arctic Wolf Threat Intelligence Analysis, Rapid7 Analysis, SonicWall Official Statement (September 2023), SonicWall Advisory (MySonicWall.com), SonicWall Cyber Threat Report, SonicWall Official Statement (September 17, 2023), SonicWall Update (October 9, 2023), Arctic Wolf Research, SonicWall Public Advisory (SNLWID-2024-0015), Huntress Report on SonicWall SSLVPN Attacks (October 13, 2023), ThreatLocker/Arctic Wolf Alerts, Federal agencies, Arctic Wolf, TechRadar Pro, The Register, Rapid7 Advisory, The Hacker News, Beazley Security Q3 2025 Report, BleepingComputer, Arctic Wolf Labs, NIST CVE Database (CVE-2025-53770, CVE-2025-54309, etc.), SonicWall Security Advisory (CVE-2024-40766), Dark Reading, SonicWall Capture Labs, SecurityAffairs, Bitsight Research (Emma Stevens), SonicWall 2024 Cyber Threat Report, Google Threat Intelligence Group (GTIG), CSO Online and Beazley Security Q3 2024 Ransomware Report.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://securityaffairs.com/, https://www.techradar.com, https://www.darkreading.com, https://www.theregister.com, https://www.csoonline.com, https://thehackernews.com, https://www.bleepingcomputer.com, https://arcticwolf.com, https://www.mysonicwall.com, https://nvd.nist.gov/ .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was SonicWall updated mitigation guidance, Rapid7 customer notifications, Reset all SonicWall credentials (including LDAP-synchronized accounts), Review MFA configurations for OTP vulnerabilities, Audit SSL VPN access logs for anomalous activity, Customers advised to check MySonicWall accounts for flagged serial numbers and follow remediation steps, Customers advised to delete cloud backups, change MySonicWall credentials, rotate shared secrets/passwords, and recreate backups locally., SonicWall notified all impacted partners and customers with remediation guidance., Urgent Customer Notifications, Public Disclosure (October 8 Update), SonicWall Urgent Customer Advisory, Huntress Threat Briefing for Partners, SonicWall Urgent Customer Advisory, Huntress Threat Briefing, General Cybersecurity Alerts (e.g., CISA, Industry Forums), Customers advised to reset credentials for MySonicWall accounts, LDAP/RADIUS/TACACS+ servers, and VPN interfaces., Beazley Security Advisories, Vendor Patches/Workarounds (SonicWall, Microsoft, etc.), Beazley Security Report (Public), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Patch immediatelyEnable MFARestrict Virtual Office portal access, Organizations using SonicWall Gen 6/7 firewalls should assume credential compromise if CVE-2024-40766 was unpatched pre-August 2024Monitor for signs of Akira ransomware (e.g., .akira extensions, ransom notes)Prepare for potential data breach notifications if exfiltration occurred, Reset credentials immediately if cloud backups are enabledImport new preference files (with awareness of VPN/TOTP disruptions)Reconfigure VPN pre-shared keys and TOTP post-importFollow manual remediation guidance if unable to import new files, Treat incident seriously despite no evidence of compromise to production firewalls or customer-hosted systems., Delete existing cloud backups, change credentials, rotate shared secrets, and recreate configurations locally., Reset all credentials associated with MySonicWall portal.Regenerate encryption keys for firewall backups.Update firmware to the latest secure versions.Monitor networks for anomalous activity.Conduct forensic audits of firewall configurations.Review and harden VPN and access control settings., Check device status via MySonicWall.comFollow immediate protection steps (credential resets, service restrictions)., Check Device Status via MySonicWall.comFollow Immediate Mitigation Steps (Credential Resets, Service Disabling)Enable MFA and Enhanced LoggingReport Suspicious Activity to SonicWall Support, Immediate credential rotation recommended for all potentially exposed secrets., Urgent Patching NoticesMFA Enforcement Guidelines and SonicWall (Cloud Breach Notification).

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Unknown, SonicWall SSL VPN, Unauthorized API call to cloud backup environment and MySonicWall cloud backup service.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was From at least October 2024, Months (credentials harvested in prior intrusions), Brief Connections for Credential Validation (October 4 Onward), Observed Since 2023-10-04 (Clustered Authentication Attempts Over 2 Days), Prolonged (Akira Campaign Against SonicWall).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Exploitation of known vulnerabilities to steal administrator credentials, Zero-day vulnerability in SonicWall SSL VPN, Unpatched CVE-2024-40766 (known since August 2024)Default LDAP group over-provisioningPublicly accessible Virtual Office portalLegacy credential reuse during migrationsInsufficient MFA enforcement, Failure to rotate credentials after patching CVE-2024-40766Overprivileged LDAP-synchronized accounts in SSLVPN Default Users GroupLack of MFA resilience (OTP bypass via Virtual Office Portal)Insufficient monitoring for rapid attack patterns (<4 hours)Default configurations enabling lateral movement (SMB/RDP), Brute force attacks on MySonicWall cloud backupsInsufficient protection for stored preference files, Inadequate access controls for cloud backup storage.Insufficient monitoring/logging of cloud storage environment.Initial underestimation of breach scope., Weak authentication mechanisms in MySonicWall cloud service, enabling brute-force attacks.Underestimation of the incident's scope during initial disclosure., Inadequate brute-force protection (lack of rate-limiting/MFA).Underestimation of breach scope during initial assessment.Centralized cloud storage creating a single point of failure.Persistent vulnerabilities in SonicWall products (historical context since 2021)., Exposure of credentials in firewall backup files (despite encryption).Lack of MFA enforcement for VPN/admin access.Insufficient monitoring for clustered authentication attempts.Delayed or incomplete vendor disclosure about breach scope., Exposed or Reused Credentials in SonicWall SSL VPNInadequate Protection of Firewall Configuration Backups in MySonicWall CloudLack of MFA Enforcement for Administrative AccessDelayed Detection Due to Brief, Surgical Attack Patterns, Insufficient API access controlsLack of segmentation in cloud backup environment, Weak MFA and lockout policies on VPNs (SonicWall).Delayed patching of zero-day vulnerabilities (CVE-2025-*).Commoditization of stolen credentials via infostealers (e.g., Rhadamanthys).Insufficient network segmentation enabling lateral movement., Lack of Universal MFA on VPN/RDPWeak Lockout Policies (SonicWall)Unpatched Critical Vulnerabilities (Cisco/Citrix)Credential Hygiene Failures (Reused/Weak Passwords)Insufficient Dark Web Monitoring for Leaked Credentials.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Disable SonicWall SSL VPN service, enable security services, enforce MFA, practice good password hygiene, remove inactive user accounts, block suspicious VPN authentication attempts, Mandatory patching with verificationMFA enforcement for all SonicWall servicesNetwork segmentation for VPN portalsCredential hygiene auditsDark web monitoring for exposed credentials, Mandate credential rotation after critical vulnerability patchesAudit all LDAP group mappings to sensitive servicesImplement behavioral detection for Impacket/rclone usageSegment networks to limit Domain Controller exposureDeploy application control to block unauthorized remote tools, Hardened infrastructure with additional logging.Implemented stronger authentication controls.Disabled vulnerable cloud backup service.Advised customers on mitigation steps (credential rotation, local backups)., Enhanced authentication for cloud services.Improved incident communication protocols.Development of tools for customer remediation., Collaboration with Mandiant for forensic analysis.Public disclosure revision to reflect full scope.Recommendations for customer remediation (credential resets, key regeneration).Emphasis on diversifying security stacks and zero-trust adoption., SonicWall: Secure backup files by redacting/encrypting credentials separately.Customers: Implement zero-trust principles (MFA, least privilege, segmentation).Enhance logging and anomaly detection for VPN/authentication systems.Regular credential rotation and audits for network devices., SonicWall to Enhance Cloud Backup Security (e.g., Additional Encryption, Access Controls)Mandatory MFA for All SonicWall Product AccessAutomated Alerts for Unusual Authentication PatternsRegular Credential Rotation Policies for CustomersThird-Party Audits of SonicWall’s Security Practices, API security enhancementsCustomer credential reset advisory, Mandatory MFA for all remote access (VPN, RDP).Automated vulnerability scanning and patch prioritization.Dark web monitoring for credential leaks.Network segmentation and micro-segmentation for critical assets.Incident response playbooks updated for ransomware/zero-day scenarios., Mandate MFA for all remote access.Enforce password complexity and lockout policies.Prioritize patching for internet-facing appliances.Deploy dark web monitoring for credential leaks.Train users on SEO poisoning and social engineering risks..