SonicWall Probes Attack Using Zero-Days in Own Products

Security vendor SonicWall has warned its customers that threat actors may have found zero-day vulnerabilities in some of its remote access products.

An initial post on the vendor’s knowledgebase pages on Friday claimed that the NetExtender VPN client version 10.x and the SMB-focused SMA 100 series were at risk.

However, an update over the weekend clarified that impacted products were confined to its Secure Mobile Access (SMA) version 10.x offering running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.

These provide customer employees with secure remote access to internal resources — capabilities in high demand during the pandemic. As such, there’s an obvious advantage to attackers in finding bugs to exploit in such tools.

“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall said in the alert.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”

There’s no more info for now on what the attackers were after and how they performed the intrusion.

However, SonicWall also clarified that its firewall products, SonicWave APs and SMA 1000 Series product line are unaffected.

“Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation,” it added. “We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the internet while we continue to investigate the vulnerability.”

Since the start of the COVID-19 crisis, security and infrastructure providers have come under increasing scrutiny as attackers look for holes in products which could provide them with large-scale access to customer environments.

Back in April, it emerged that sophisticated ransomware groups were exploiting flaws in VPN products to attack hospitals, while in October, the US warned that APT groups were chaining VPN exploits with the Zerologon flaw to target public and private sector organizations.

Products from Fortinet (CVE-2018-13379), MobileIron (CVE-2020-15505), Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510), Citrix NetScaler (CVE-2019-19781) and Palo Alto Networks (CVE-2020-2021) were all highlighted as at risk.

Leave a Reply