SonicWall Investigating Zero-Day Attacks Against Its ProductsCompany Says Certain VPNs and Gateways Affected By 'Coordinated Attack'
Security vendor SonicWall is investigating what the company calls a "coordinated attack" against its internal network by threat actors using a zero-day exploit within the company's remote access products.
In a brief statement, SonicWall says it is continuing to investigate the incident and that users of certain versions of its Secure Mobile Access, or SMA, gateway products should apply temporary fixes until a permanent patch is available.
And while SonicWall did not release details about the zero-day attack and the vulnerability, the company stressed that this security incident appears well planned.
"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," according to the company statement released Friday.
On Saturday, SonicWall released an updated statement, which detailed a number of products not affected by the attack. They include the NetExtender VPN client access product, which the firm originally believed had been targeted in the initial attack.
"While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners," according to the company.
We have updated our earlier announcement about a coordinated attack on the SMA 100 Series product. We can now share that many of our product lines are NOT impacted, including our firewalls. Read the update here: https://t.co/VTDr0btI8T— SonicWall (@SonicWall) January 24, 2021
Which Products Affected?
As of Saturday, SonicWall was saying the company is still investigating potential vulnerabilities in several versions of its Secure Mobile Access gateway product version 10.x, which runs on SMA 200, SMA 210, SMA 400 and SMA 410 physical appliances as well as the SMA 500v virtual appliance.
The company notes that its SMA 100 series products are physical devices used for providing employees and other users with remote access to internal resources. The company's remote access products are sold to small businesses as well as large enterprises.
For now, SonicWall is urging its customers to use a firewall to only allow Secure Socket Layer-VPN connections to the SMA appliance from known or whitelisted IP addresses. Customers can also configure whitelist access on the SMA gateway itself, according to the update.
SonicWall is also urging its customers to use multifactor authentication with all its products.
The company also suggests that SMA 100 series administrators create specific access rules or disable their Virtual Office web portal and HTTPS administrative access from the internet while the company continues to investigate the vulnerability. On Tuesday, the company updated its guidance and added that this fix no longer applies.
While SonicWall is still investigating the exploit of the zero-day vulnerability in its SMA 100 series gateway products, the company now believes that the attacks are not affecting its entire line of firewall products or its SMA 1000 series gateway offering, which is a separate line of gateway products.
Other security vendors have also warned about recent security issues affecting their products or internal networks.
Earlier this month, researchers warned that attackers appear to have started scanning for vulnerable Zyxel products, including VPN gateways, access point controllers and firewalls. A vulnerability in the company's firmware, which was first disclosed in December by researchers, can be exploited to install a hard-coded backdoor that could give threat actors remote administrative privileges. This flaw could affect about 100,000 of the company's products (see: Researchers Warn Attackers Are Scanning for Zyxel Products).
On Tuesday, the CEO of Malwarebytes acknowledged that the hackers who attacked SolarWinds also targeted his company and gained access to a "limited subset of internal company emails." (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).
There is currently no indication that the zero-day attack affecting the SonicWall products is related to the SolarWinds hacking incident. Zero-day attacks, however, are increasingly being purchased by nation-state hacking groups to launch multiple attacks, according to an April 2020 report (see: More Zero-Day Exploits For Sale: Report).
Editor's Note: This article was updated to include additional information from SonicWall about a temporary fix.