Exclusive: SonicWall Hacked Using 0-Day Bugs In Its Own VPN Product

2021-01-23T05:50:00
ID THN:578EEED10215F2C3304CCA1535B2F9F8
Type thn
Reporter The Hacker News
Modified 2021-01-25T05:31:15

Description

SonicWall VPN

SonicWall, a popular internet security provider of firewall and VPN products, on late Friday disclosed that it fell victim to a coordinated attack on its internal systems.

The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide users with remote access to internal resources.

"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the company exclusively told The Hacker News.

password auditor

The development comes after The Hacker News received reports that SonicWall's internal systems went down earlier this week on Tuesday and that the source code hosted on the company's GitLab repository was accessed by the attackers.

SonicWall wouldn't confirm the reports beyond the statement, adding it would provide additional updates as more information becomes available.

The complete list of affected products include:

  • NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance

The company said its SMA 1000 series is not susceptible to the zero-days and that it utilizes clients different from NetExtender.

It has also published an advisory urging organizations to enable multi-factor authentication, disable NetExtender access to the firewall, restrict access to users and admins for public IP addresses, and configure whitelist access on the SMA directly to mitigate the flaws.

With a number of cybersecurity vendors such as FireEye, Microsoft, Crowdstrike, and Malwarebytes becoming targets of cyberattacks in the wake of SolarWinds supply chain hack, the latest breach of SonicWall raises significant concerns.

"As the front line of cyber defense, we have seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations," SonicWall said.

UPDATE (24 Jan, 2021)

SonicWall, in an updated advisory on Saturday, said its NetExtender VPN clients are no longer affected by the potential zero-day vulnerabilities that it said were used to carry out a "coordinated attack" on its internal systems.

The company, however, said it's continuing to investigate the SMA 100 Series for probable zero-days.

"While we previously communicated NetExtender 10.x as potentially having a zero-day, that has now been ruled out," the company stated. "It may be used with all SonicWall products. No action is required from customers or partners."

That said, exact specifics about the nature of the attack and what prompted SonicWall to investigate its own products as a possible attack vector remains unclear as yet.

We have reached out to the company for details, and we'll update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.