SonicWall Investigating Zero-Day Attacks Against Its Products

Application Security , Breach Notification , Cybercrime as-a-service

Company Says Certain VPNs and Gateways Affected By ‘Coordinated Attack’

SonicWall Investigating Zero-Day Attacks Against Its Products
A zero-dat attack is affecting SonicWall’s SMA 100 series gateway products (Source: SonicWall)

Security vendor SonicWall is investigating what the company calls a “coordinated attack” against its internal network by threat actors using a zero-day exploit within the company’s remote access products.

See Also: 2020 Trust Report: Measuring the Value of Security Amidst Uncertainty

In a short statement posted to customers, SonicWall says it is continuing to investigate the incident and that users of certain versions of its Secure Mobile Access (SMA) gateway products should apply temporary fixes until a permanent patch is available.

And while SonicWall did not release details about the zero-day attack and the vulnerability, the company stressed that this security incident appears well planned.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” according to the company statement released Friday.

On Saturday, SonicWall released an updated statement, which detailed a number of products not affected by the attack. This includes the NetExtender VPN Client access product, which the firm originally believed had been targeted in the initial attack.

“While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners,” according to the company.

Which Products Affected?

As of Saturday, SonicWall was saying the company is still investigating potential vulnerabilities in several versions of its Secure Mobile Access gateway product version 10.x, which runs on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances as well as the SMA 500v virtual appliance.

The company notes that its SMA 100 series products are physical devices used for providing employees and other users with remote access to internal resources. The company’s remote access products are sold to both small businesses as well as large enterprises.

For now, SonicWall is urging its customers to use a firewall to only allow Secure Socket Layer-VPN connections to the SMA appliance from known or whitelisted IP addresses. Customers can also configure whitelist access on the SMA gateway itself, according to the update.

SonicWall is also urging its customers to use multifactor authentication with all its products.

Finally, SonicWall suggests that SMA 100 series administrators create specific access rules or disable its Virtual Office web portal and HTTPS administrative access from the internet while the company continues to investigate the vulnerability.

While SonicWall is still investigating the exploit of the zero-day vulnerability in its SMA 100 series gateway products, the company now believes that the attacks are not affecting its entire line of firewall products or its SMA 1000 series gateway offering, which is a separate line of gateway products.

Other Incidents

Other security vendors have also warned about recent security issues affecting their products or internal networks.

Earlier this month, researchers warned that attackers appear to have started scanning for vulnerable Zyxel products, including VPN gateways, access point controllers and firewalls. A vulnerability in the company’s firmware, which was first disclosed in December by researchers, can be exploited to install a hard-coded backdoor that could give threat actors remote administrative privileges. This particular flaw could affect about 100,000 of the company’s products (see: Researchers Warn Attackers Are Scanning for Zyxel Products).

On Tuesday, the CEO of Malwarebytes acknowledged that the hackers who attacked SolarWinds also targeted his company and gained access to a “limited subset of internal company emails.” Malwarebytes is now the third security firm, along with FireEye and Microsoft, known to be affected by the supply chain attack (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).

There is currently no indication that the zero-day attack affecting the SonicWall products is related to SolarWinds hacking incident. Zero-day attacks, however, are increasingly being purchased by nation-state hacking groups to launch multiple attacks, according to an April 2020 report (see: More Zero-Day Exploits For Sale: Report).