SonicWall warns customers about zero-day vulnerabilities

Attack targets SonicWall's SMA Series access management gateways and is another in a string of incidents against security vendors.

A computer monitor displays abstract data, a skill and crossbones, and 'HACKED.'
D-Keine / Getty Images

Firewall and network security appliance manufacturer SonicWall is urging customers to take preventive actions after its own systems were attacked through previously unknown vulnerabilities in some of its products. "Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the company said in an alert on its website late Friday.

Initially the company suspected that several of its Secure Mobile Access (SMA) series physical and virtual appliances, as well as the NetExtender VPN client and SonicWall firewalls were vulnerable. However, after further investigation, the list of vulnerable products was revised Saturday.

The company determined that no generation of SonicWall firewalls is impacted and neither are the NetExtender VPN client, SonicWall SonicWave APs or SMA 1000 Series. The only vulnerable products remain the SMA 100 series appliances which include SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v (virtual).

The SMA 100 series appliances are access management gateways for small- and medium-sized businesses that allow them to provide browser-based and VPN-based access to remote employees to the company's internal resources, or even hybrid resources hosted in the cloud. It can be combined with a VPN-client such as the NetExtender VPN client.

"Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series," the company said. "We have determined that this use case is not susceptible to exploitation."

SMA 100 Series customers urged to take action

According to the company, it is critical for SMA 100 series customers to enable multi-factor authentication. SMA supports time-based one time passwords (TOTP) generated with mobile apps such as Google Authenticator. TOTP can also be enabled to work in addition to LDAP authentication for SSL-VPN connections on SonicWall appliances.

An additional recommendation is to enable the Geo-IP/botnet filtering to create a policy to block web traffic from countries that don't need to access applications through the SMA appliance. It's also advisable to enable and configure the End Point Control feature which forces a security check of the user's environment and device before allowing a VPN connection to be established. Administrators can also use the Login Schedule feature to create a policy and timetable of when users are allowed to be authenticated and when they should be automatically logged off. Instructions on configuring these features are included in the SMA 10.2 administration guide.

SonicWall attacker motives unclear

It's not clear what the hackers who targeted SonicWall were after and whether their goal was cyberespionage or had a financial motive, like with ransomware and other types of extortion. The company did not release any information about attack payloads, tools or other indicators of compromise (IOCs). A SonicWall representative tells CSO via email that the company is not divulging additional information at this time beyond what was released in its alert.

Attackers targeting security vendors

SonicWall is the third cybersecurity vendor to recently announce a security breach after FireEye and Malwarebytes. Both FireEye and Malwarebytes were targeted by the same threat actor that is associated with the Russian intelligence services and which was also responsible for the larger software supply chain attack involving poisoned SolarWinds software updates. Malwarebytes was targeted through a different attack vector involving applications with privileged access to Microsoft Office 365 and Azure environments. A similar attack vector was attempted against cybersecurity firm CrowdStrike.

While there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, it's clear that hackers in general are no longer holding back from targeting even the most security-aware organizations -- the security vendors themselves.

Editor's note: This article was updated on January 26, 2021, to reflect the most recent advice from SonicWall.

Copyright © 2021 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.