Security firm SonicWall was victim of a coordinated attack

The Hacker News reported in exclusive that the security firm SonicWall was hacked as a result of a coordinated attack on its internal systems.

TheHackerNews revealed in an exclusive that the security provider SonicWall was hacked on Friday.

The company was targeted with a coordinated attack on its internal systems, threat actors exploited zero-day vulnerabilities in their VPN solutions, such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA).

“The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide users with remote access to internal resources.” reported TheHackerNews.

SonicWall told The Hacker News that they believe the coordinated attack was conducted by highly sophisticated threat actors exploiting.

The Hacker News was the first media to receive reports that SonicWall’s internal systems were unavailable since Tuesday and that the source code hosted on the company’s GitLab repository was accessed by the attackers.

SonicWall has immediately launched an investigation into the incident. and would provide additional updates as more information emerges..

Below the list of affected products shared by THN:

• NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
• Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance..

SonicWall published an Urgent Security Notice for NetExtender VPN Client 10.X, SMA 100 Series vulnerability that includes a series of recommendations for its customers.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:

• NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
• Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources. The SMA 1000 series is not susceptible to this vulnerability and utilizes clients different from NetExtender.” states the urgent security notice published by the security provider.

FOR SMA 100 SERIES the vendor recommends to use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.

FOR FIREWALLS WITH SSL-VPN ACCESS VIA NETEXTENDER VPN CLIENT the security firm recommends organizations using VERSION 10.X to disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs.

SonicWall also recommends enabling multi-factor authentication on all SONICWALL SMA, Firewall & MYSONICWALL accounts.

This incident could potentially have a significant impact on multiple organizations that use the above products. This is the last incident in order of time that impacted security vendors, recently MalwareBytes revealed that it was hit by SolarWinds attackers, the same that compromised FireEye, Microsoft, and Crowdstrike.

Update 25 January 2021

The security provider confirmed that the following products are not affected:

• SonicWall Firewalls: All generations of SonicWall firewalls are not affected by the vulnerability impacting the SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v). No action is required from customers or partners.
  
• NetExtender VPN Client: While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners.
  
• SMA 1000 Series: This product line is not affected by this incident.  Customers are safe to use SMA 1000 series and their associated clients. No action is required from customers or partners.
  
• SonicWall SonicWave APs: No action is required from customers or partners.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

[adrotate banner=”5″]

[adrotate banner=”13″]