Cybersecurity firm SonicWall disclosed Friday night that hackers attacked the company's internal networks by first exploiting a zero-day vulnerability in its very own secure remote access products.
SonicWall announced the hack after being contacted by SC Media about an anonymous tip that the company's systems had undergone a major breach. The company did not respond, but issued a formal announcement later that evening.
SonicWall, whose product line includes firewalls; network security and access solutions; and email, cloud and endpoint security solutions acknowledged that an incident took place in a company statement late that evening. "Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the statement reads.
The company is investigating the apparent presence of a zero day vulnerability in its Secure Mobile Access (SMA) 100 Series. In an early version of the statement, the company specifically referenced SMA version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.
In conjunction with SonicWall's NetExtender VPN client, the SMB-oriented SMA gateways are are "used for providing employees/users with remote access to internal resources," the statement explained.
Initially, SonicWall had also said that its NetExtender VPN client version 10.x (released in 2020) – utilized to connect to SMA 100 series appliances and SonicWall firewalls – was also vulnerable, but the company retracted this statement in an update posted on Saturday evening.
SonicWall noted that customers may continue to use NetExtender for remote access with the SMA 100 series. "We have determined that this use case is not susceptible to exploitation," the updated statement said.
Any SonicWall customer using the affected solutions is vulnerable to the zero-day flaws. The company has therefore set up a web page where it is providing mitigation guidelines to channel partners and customers.
Among its recommendations for MA 100 series devices:
- Enable two-faction authentication.
- "Enable Geo-IP/botnet filtering and create a policy blocking web traffic from countries that do not need to access your applications."
- "Enable and configure End Point Control (EPC) to verify a user’s device before establishing a connection."
- "Restrict access to the portal by enabling Scheduled Logins/Logoffs."
SonicWall has also reported that its SonicWall firewalls are not affected, nor are the SMA 1000 Series or the SonicWall SonicWave APs (access points) impacted.
In September 2020, SonicWall received some criticism for taking more than two weeks to to patch a vulnerability affected some 10 million managed devices and 500,000 organizations. SonicWall countered at the time by saying that the company responded promptly and no vulnerabilities were exploited.
SC Media updated this story on Jan. 24, 2021, to clarify and expand the description of the anonymous tip, and again on Jan. 25 to revise mitigation recommendations based on the latest available information at the time.