Skip to main content

SonicWall was breached via zero-day bug in its VPN client

security
(Image credit: Image Credit: ESB Professional / Shutterstock)

Network security firm SonicWall has notified its customers and clients that unknown criminals were currently taking advantage of a zero-day vulnerability found in their VPN products and were attacking their internal systems.

The company builds hardware firewalls, VPN gateways and network security tools for businesses.

In a statement, the company said it spotted a zero-day in its Secure Mobile Access (SMA) VPN device, as well as in its NetExtender VPN client being used against their systems. It described the attack as “sophisticated”.

"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," states SonicWall's security notice published late Friday night.

It said the investigation was currently ongoing, and has provided a list of the affected and unaffected devices here. It added that customers should add an extra layer of protection through two-factor authentication, or by blocking access to devices to all but whitelisted IP addresses.

There are still no information about the vulnerabilities, or who might be exploiting them. Bleeping Computer believes, based on the mitigation steps the company provided, that these are pre-auth vulnerabilities that can be remotely exploited on publicly accessible devices. SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks, CRN noticed, following FireEye, SolarWinds, CrowdStrike and Mimecast.

The attack against CrowdStrike was unsuccesful, the company confirmed at the time.

While there is no official confirmation, many publications are speculating that all of these attacks might have been carried out by the same team that breached SolarWinds – Russian, state-sponsored APT29.