Security firm SonicWall was victim of a coordinated attack

The Hacker News reported in exclusive that the security firm SonicWall was hacked as a result of a coordinated attack on its internal systems.

TheHackerNews revealed in an exclusive that the security provider SonicWall was hacked on Friday.

The company was targeted with a coordinated attack on its internal systems, threat actors exploited zero-day vulnerabilities in their VPN solutions, such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA).

“The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide users with remote access to internal resources.” reported TheHackerNews.

SonicWall told The Hacker News that they believe the coordinated attack was conducted by highly sophisticated threat actors exploiting.

The Hacker News was the first media to receive reports that SonicWall’s internal systems were unavailable since Tuesday and that the source code hosted on the company’s GitLab repository was accessed by the attackers.

SonicWall has immediately launched an investigation into the incident. and would provide additional updates as more information emerges..

Below the list of affected products shared by THN:

NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance..

SonicWall published an Urgent Security Notice for NetExtender VPN Client 10.X, SMA 100 Series vulnerability that includes a series of recommendations for its customers.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:

NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources. The SMA 1000 series is not susceptible to this vulnerability and utilizes clients different from NetExtender.” states the urgent security notice published by the security provider.

FOR SMA 100 SERIES the vendor recommends to use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.

FOR FIREWALLS WITH SSL-VPN ACCESS VIA NETEXTENDER VPN CLIENT the security firm recommends organizations using VERSION 10.X to disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs.

SonicWall also recommends enabling multi-factor authentication on all SONICWALL SMA, Firewall & MYSONICWALL accounts.

This incident could potentially have a significant impact on multiple organizations that use the above products. This is the last incident in order of time that impacted security vendors, recently MalwareBytes revealed that it was hit by SolarWinds attackers, the same that compromised FireEye, Microsoft, and Crowdstrike.

Update 25 January 2021

The security provider confirmed that the following products are not affected:

SonicWall Firewalls: All generations of SonicWall firewalls are not affected by the vulnerability impacting the SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v). No action is required from customers or partners.
NetExtender VPN Client: While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners.
SMA 1000 Series: This product line is not affected by this incident. Customers are safe to use SMA 1000 series and their associated clients. No action is required from customers or partners.
SonicWall SonicWave APs: No action is required from customers or partners.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.