Experts warn of active exploitation of SonicWall zero-day in the wild

Researchers from the security firm NCC Group warn of the exploitation in the wild of a SonicWall zero-day vulnerability.

Security experts from the firm NCC Group have detected “indiscriminate” exploitation of a SonicWall zero-day in attacks in the wild, ZDNet reported.

NCC Group first disclosed the attacks on SonicWall devices on Sunday but did not provide details about the flaw exploited by the threat actors.

The experts reported the vulnerability to the security provider, they also claim to have identified the same zero-day vulnerability exploited by SolarWinds hackers to breach SonicWall’s internal network.

Anyway, SonicWall did not confirm that the vulnerability under active exploitation is the same involved in the attacks against its infrastructure.

On January, 29 SonicWall announced it is still investigating the presence of a zero-day vulnerability in the Secure Mobile Access (SMA) gateways.  

SMA gateways are used by enterprise organizations to provide access to resources on intranets to remote employees.

“As we head into the weekend, we continue to investigate the SMA 100 Series, however the presence of a potential zero-day vulnerability remains unconfirmed.” reads SonicWall’s update.

“We have also analyzed several reports from our customers of potentially compromised SMA 100 series devices.  In these cases, we have so far only observed the use of previously stolen credentials to log into the SMA devices. The SMA appliance, due to its nature and due to prevalence of remote work during the pandemic, effectively acts as a “canary” to raising an alert about inappropriate access.”

The NCC team confirmed to have demonstrated how to exploit a possible candidate for the vulnerability.

SonicWall experts pointed out that proof of concept (PoC) exploit code utilizing the Shellshock exploit shared on social media is not effective against its devices.

“We’re also aware of social media posts that shared either supposed proof of concept (PoC) exploit code utilizing the Shellshock exploit, or screenshots of allegedly compromised devices.  We have confirmed that the Shellshock attack has been mitigated by patches that we released in 2015.   We have also tested the shared PoC code and have so far concluded that it is not effective against firmware released after the 2015 patch.” continues the update. “However, we’ll continue to closely monitor any new posts and investigate new information.  This should also serve as a reminder to our customer base to always patch and keep current on internet facing devices.”

The company has released an updated security best practices guide for the SMA 100 series devices.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

[adrotate banner=”5″]

[adrotate banner=”13″]