SonicWall hit by attackers leveraging zero-day vulnerabilities in its own products?

On Friday evening, SonicWall announced that it “identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”

The network security company said that several of its products are impacted, but the day after let everyone know that some of those were not affected, after all.

SonicWall zero-day vulnerabilities

Affected devices

“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall said while warning the public about the potential zero-day vulnerabilities in the NetExtender VPN Client and Secure Mobile Access (SMA) physical and virtual appliances.

They shared some mitigation advice and urged admins to enable multi-factor authentication on all SonicWall SMA, firewall, and MySonicWall accounts.

On Saturday, the news was more favorable: the NetExtender VPN Client is not affected, and neither are all generations of SonicWall firewalls, SonicWall SonicWave APs, and SMA 1000 series.

The jury is still out on the SMA 100 Series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), a unified gateway that enables organization to provide secure remote access to corporate resources hosted on-prem, in cloud and in hybrid datacenters.

Until they confirm whether those devices are affected or not, SonicWall said current SMA 100 series customers may continue to use NetExtender for remote access.

“We have determined that this use case is not susceptible to exploitation,” the company noted, and advised SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while they continue to investigate the vulnerability.

The nature of the attack is still unknown

Help Net Security has reached out to SonicWall and enquired about the nature of the attack on its internal systems, but we’ve yet to hear back from them.

The main worry, of course, is that it, too, has been hacked by the SolarWinds attackers, who, after compromising the IT solutions maker, went on to burrow into the networks and systems of FireEye, Microsoft, and Malwarebytes, and possibly other cybersecurity and IT companies – not to mention targets outside the IT and IT security sector.

SonicWall’s cybersecurity solutions are used by U.S. Federal Government agencies, some of which have confirmed that they’ve been breached by the SolarWinds attackers.

UPDATE (January 26, 2021, 10:40 a.m. PT):

There is still no news about the potential zero-day in the SMA 100 Series, but SonicWall let us know that the guidance to disable Virtual Office and the HTTPS administrative interface no longer applies.

In addition to this, they strongly urge organizations with active SMA 100 Series appliances to enable 2FA on them and to consider further securing access to these devices by:

  • Enabling Geo-IP/botnet filtering and creating a policy blocking web traffic from countries that do not need to access their applications
  • Enabling and configuring End Point Control (EPC) to verify a user’s device before establishing a connection
  • Restricting access to the portal by enabling Scheduled Logins/Logoffs.

Don't miss