<img height="1" width="1" src="https://www.facebook.com/tr?id=3212881575388825&amp;ev=PageView &amp;noscript=1">

On Friday, January 22, SonicWall announced that they had been investigating a zero-day exploit on some of their products. They have determined that sophisticated threat actors attacked their internal systems by exploiting a zero-day flaw on the organization’s secure remote access product, in what appears to be a coordinated attack.

 

The impacted products are:

  • NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources. The SMA 1000 series is not susceptible to this vulnerability and utilizes clients different from NetExtender.

SonicWall has not published an answer to speculation that the attack on their system was carried out by the same actors responsible for the SolarWinds hack. The company is continuing to provide mitigation recommendations to customers, and states that multi-factor authentication must be enabled on SonicWall SMA, firewall, and MySonicWall login accounts. Another recommendation is to deploy a firewall to limit who can interact with SMA devices or disable access via the NetExtender VPN client to its firewalls.

For assistance with mitigation techniques, please see the resources below, or contact SOCBOX directly to assist with implementation.

 

Sources:

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/

https://www.crn.com/news/security/sonicwall-breached-via-zero-day-flaw-in-remote-access-tools