SonicWall network attacked via zero days in its VPN and secure access solutions

Posted on January 23, 2021 by Bradley Barth
A screenshot of SonicWall’s home page. Note the link to the incident disclosure at the top of the page.

Cybersecurity firm SonicWall disclosed Friday night that hackers attacked the company’s internal networks by first exploiting zero-day vulnerabilities in its very own secure remote access products.

SC Media received an anonymous tip Friday that SonicWall had suffered an attack, but did not get confirmation ahead of the disclosure by the company.

SonicWall, whose product line includes firewalls; network security and access solutions; and  email, cloud and endpoint security solutions acknowledged that an incident took place in a company statement late that evening. “Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” the statement reads.

The products that the adversaries exploited to gain entry to its systems include its NetExtender VPN client and its SMB-oriented SMA (Secure Mobile Access) gateway and physical appliances, which are “used for providing employees/users with remote access to internal resources.”

More specifically, these products are (as listed by SonicWall):

  • NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400
  • SMA 410 physical appliances and the SMA 500v virtual appliance

Any SonicWall customer using these solutions is vulnerable to the same zero-day flaws. The company has therefore set up a web page where it is providing mitigation guidelines to channel partners and customers.

Among its recommendations: “use a firewall to allow only SSL-VPN connections to the SMA appliance from known/whitelisted IPs,” or “configure whitelist access on the SMA directly itself.” Also, “disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs.”

SonicWall has also advised users to enable multi-factor authentication on all SonicWall SMA, firewall and MySonicWall accounts.

The post SonicWall network attacked via zero days in its VPN and secure access solutions appeared first on SC Media.

This entry was posted in Breach, Cybercrime, Featured, Ransomware, Security News, Vulnerabilities, Vulnerability Management. Bookmark the permalink.