SonicWall Breach Exposes Firewall Configurations in Targeted Cyberattack
SonicWall, a well-known cybersecurity company, recently revealed that hackers gained unauthorized access to its cloud management platform, MySonicWall. The attackers used brute-force methods to break into accounts and access firewall configuration backups—a type of file that contains sensitive information about how customers' networks are protected. While only a small percentage of customers (less than 5%) were affected, the breach is notable because it involved infrastructure managed directly by SonicWall, rather than a weakness on the customer’s end.
The stolen configuration files included encrypted passwords, network policies, and other technical details that could help cybercriminals better understand the layout and defenses of targeted networks. Although the passwords were encrypted, experts warn that even having visibility into network architecture can give attackers an advantage when planning future attacks. Because firewall settings are central to a company’s cybersecurity defenses, unauthorized access to them raises serious concerns about potential downstream threats.
In response to the breach, SonicWall has temporarily disabled the affected backup feature and launched an investigation with the help of external cybersecurity experts. The company has notified law enforcement and directly informed impacted customers, advising them to reset passwords, review logs for suspicious activity, and follow additional security steps. While the scope of the breach appears limited, the incident serves as a reminder that even security vendors are not immune to cyberattacks—and that protecting cloud-based systems is more critical than ever.
Hackers Claim Massive Salesforce Data Breach Affecting 760 Companies
The group ShinyHunters says it stole about 1.5 billion records from Salesforce via a cyber‑attack tied to compromised tools from companies like Salesloft and Drift. Attackers used malicious “OAuth tokens” (these are like digital keys that let apps connect to other systems securely) to pull in data from Salesforce “objects” like account, contact, user, case, and opportunity. In total, they say 760 companies were affected.
The stolen information includes things like customer support tickets, contact databases, user profiles, and internal business data. Hackers also reportedly searched the data for even more secrets—passwords, access keys, credentials—that could let them break into other systems. To protect themselves, affected organizations are being urged to use strict security settings: enforce multi‑factor authentication, limit what apps can connect, and regularly audit connected applications.
Microsoft Shuts Down Global Phishing Service RaccoonO365
Microsoft, with help from Cloudflare and US law enforcement, disrupted a phishing service called RaccoonO365. This service provided “phishing-as-a-service” kits - tools that let even less experienced attackers send fake Microsoft-branded emails and websites in order to steal login credentials. Microsoft used a court order to seize 338 websites connected to RaccoonO365.
Since July 2024, the service is believed to have stolen at least 5,000 Microsoft account credentials across 94 countries. It targeted thousands of organizations in the U.S., including healthcare providers, often using taxable or urgent themes to trick people.
Microsoft also identified a person, Joshua Ogundipe from Nigeria, as the main organizer behind RaccoonO365. The group operated much like a business: offering subscriptions, support, and infrastructure tools. Disrupting it involved taking down infrastructure, banning domains, and blocking access to their system.
Defensible Strategies
Learn from those who have been attacked
Shai-Hulud Sands Up NPM with Worming Supply Chain Attack
A malicious software campaign, named after the infamous Shai-Hulud, hit the NPM ecosystem (used by many software developers) by infecting over 180 packages with a “worm” — code that spreads itself automatically. Attackers compromised more than 40 developer accounts and published over 700 malicious new package versions. The injected code was designed to search for sensitive credentials (like API keys, tokens, environment variables) and leak them, make private code repositories public, and dump secrets into public spaces.
The infection worked especially through “post‑install scripts,” which are small programs that run after someone installs a package. If those scripts discovered credentials (or tokens), they used them to spread the malware further by updating other packages the compromised accounts had access to. Some of the harvested secrets were published immediately; others lingered.
Developers are being urged to check whether their GitHub/NPM accounts have been compromised (e.g. look for unexpected repositories, new branches, or packages), revoke and replace any access tokens or keys, and lock down dependencies (for example by “pinning” them so versions don’t change automatically). The attack is seen as very serious for the JavaScript/NPM community because many projects depend on packages from dozens of other authors, so one compromised package can affect lots of others.
Boards Must Take Responsibility for Cybersecurity Says Experts and New Regulations
Cybersecurity breaches are no longer viewed as just the responsibility of security teams or Chief Information Security Officers (CISOs). Today, company boards and senior leaders are increasingly expected to take direct accountability for protecting their organizations from cyber threats. This shift means that boards can’t simply rely on CISOs to handle cybersecurity—they must actively oversee and manage cyber risks themselves.
Many experts believe that if serious data breaches occur, board members should face consequences, including fines or legal actions, if they have failed in their oversight duties. While some experts feel that the regulations don’t go far enough updates to current regulations, especially the NIS2 and DORA models that govern the EU, are pushing this trend by requiring boards to be more involved in cybersecurity decisions and risk management, but many think these rules still don’t go far enough to ensure accountability.
Ultimately, organizations need their boards to be proactive, informed, and engaged in cybersecurity efforts—not just reacting after a breach happens. Effective cybersecurity governance starts at the top, and strong leadership is critical to preventing attacks and minimizing damage when incidents occur.