Firewall and network security appliance manufacturer SonicWall is urging customers to take preventive actions after its own systems were attacked through previously unknown vulnerabilities in some of its products. “Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” the company said in an alert on its website late Friday.
Initially the company suspected that several of its Secure Mobile Access (SMA) series physical and virtual appliances, as well as the NetExtender VPN client and SonicWall firewalls were vulnerable. However, after further investigation, the list of vulnerable products was revised Saturday.
The company determined that no generation of SonicWall firewalls is impacted and neither are the NetExtender VPN client, SonicWall SonicWave APs or SMA 1000 Series. The only vulnerable products remain the SMA 100 series appliances which include SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v (virtual).
The SMA 100 series appliances are access management gateways for small- and medium-sized businesses that allow them to provide browser-based and VPN-based access to remote employees to the company’s internal resources, or even hybrid resources hosted in the cloud. It can be combined with a VPN-client such as the NetExtender VPN client.
“Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series,” the company said. “We have determined that this use case is not susceptible to exploitation.”
SMA 100 Series customers urged to take action
However, users of SMA 100 Series appliances running version 10.x of the software are strongly advised to disable access to the Virtual Office and the HTTPS administrative interface from the internet while the vulnerabilities are being investigated. If that’s not practical, customers should at least enforce IP-based access rules. This can be achieved either through a firewall or from the SMA itself following the company’s instructions.
Another recommendation is to enable multi-factor authentication for all SMA, SonicWall firewall or MySonicwall accounts. SMA supports time-based one time passwords (TOTP) generated with mobile apps such as Google Authenticator. TOTP can also be enabled to work in addition to LDAP authentication for SSL-VPN connections on SonicWall appliances.
SonicWall attacker motives unclear
It’s not clear what the hackers who targeted SonicWall were after and whether their goal was cyberespionage or had a financial motive, like with ransomware and other types of extortion. The company did not release any information about attack payloads, tools or other indicators of compromise (IOCs). A SonicWall representative tells CSO via email that the company is not divulging additional information at this time beyond what was released in its alert.
Attackers targeting security vendors
SonicWall is the third cybersecurity vendor to recently announce a security breach after FireEye and Malwarebytes. Both FireEye and Malwarebytes were targeted by the same threat actor that is associated with the Russian intelligence services and which was also responsible for the larger software supply chain attack involving poisoned SolarWinds software updates. Malwarebytes was targeted through a different attack vector involving applications with privileged access to Microsoft Office 365 and Azure environments. A similar attack vector was attempted against cybersecurity firm CrowdStrike.
While there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, it’s clear that hackers in general are no longer holding back from targeting even the most security-aware organizations — the security vendors themselves.