SonicWall says it was hacked using zero-days in its own products | ZDNet

The networking device vendor has published a series of mitigations as it's investigating the incident and preparing patches.


Catalin Cimpanu
By Catalin Cimpanu for Zero Day | January 23, 2021 -- 11:29 GMT (11:29 GMT) | Topic: Security

sonicwall-product-glitched.png
Networking device maker SonicWall said on Friday night that it is investigating a security breach of its internal network after detecting what it described as a "coordinated attack."

In a short statement posted on its knowledgebase portal, the company said that "highly sophisticated threat actors" targeted its internal systems by "exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."

The company listed NetExtender VPN clients and the Secure Mobile Access (SMA) gateways as impacted:

NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.
SonicWall said that the newer SMA 1000 series is not impacted as that particular product series is using a different VPN client than NetExtender.

Patches for the zero-day vulnerabilities are not available at the time of writing.

To help keep its own customers' networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.

SonicWall also urged companies to enable two-factor authentication options in its products for admin accounts.

The networking device maker, whose products are often used to secure access to corporate networks, now becomes the fourth security vendor to disclose a security breach over the past two months after FireEye, Microsoft, and Malwarebytes.

All three previous companies were breached during the SolarWinds supply chain attack. CrowdStrike said it was targeted in the SolarWinds hack as well, but the attack did not succeed.

Cisco, another major vendor of networking and security devices, was also targeted by the SolarWinds hackers. The company said last month it was investigating if attackers escalated their initial access from the SolarWinds products to other parts of its network.

Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack.