Skip to main content

SonicWall was breached via zero-day bug in its VPN client

security
(Image credit: Image Credit: ESB Professional / Shutterstock)

Network security firm SonicWall has notified its customers and clients that unknown criminals were currently taking advantage of a zero-day vulnerability (opens in new tab) found in their VPN products and were attacking their internal systems.

The company builds hardware firewalls, VPN gateways and network security tools for businesses.

In a statement, the company said it spotted a zero-day in its Secure Mobile Access (SMA) VPN device, as well as in its NetExtender VPN client being used against their systems. It described the attack as “sophisticated”.

"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities (opens in new tab) on certain SonicWall secure remote access products," states SonicWall's security notice published late Friday night.

It said the investigation was currently ongoing, and has provided a list of the affected and unaffected devices here (opens in new tab). It added that customers should add an extra layer of protection through two-factor authentication, or by blocking access to devices to all but whitelisted IP addresses.

There are still no information about the vulnerabilities, or who might be exploiting them. Bleeping Computer (opens in new tab) believes, based on the mitigation steps the company provided, that these are pre-auth vulnerabilities that can be remotely exploited on publicly accessible devices. SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks, CRN (opens in new tab) noticed, following FireEye, SolarWinds, CrowdStrike and Mimecast.

The attack against CrowdStrike was unsuccesful, the company confirmed at the time.

While there is no official confirmation, many publications are speculating that all of these attacks might have been carried out by the same team that breached SolarWinds – Russian, state-sponsored APT29.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.