Network security firm SonicWall has notified its customers and clients that unknown criminals were currently taking advantage of a zero-day vulnerability (opens in new tab) found in their VPN products and were attacking their internal systems.
The company builds hardware firewalls, VPN gateways and network security tools for businesses.
In a statement, the company said it spotted a zero-day in its Secure Mobile Access (SMA) VPN device, as well as in its NetExtender VPN client being used against their systems. It described the attack as “sophisticated”.
"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities (opens in new tab) on certain SonicWall secure remote access products," states SonicWall's security notice published late Friday night.
It said the investigation was currently ongoing, and has provided a list of the affected and unaffected devices here (opens in new tab). It added that customers should add an extra layer of protection through two-factor authentication, or by blocking access to devices to all but whitelisted IP addresses.
There are still no information about the vulnerabilities, or who might be exploiting them. Bleeping Computer (opens in new tab) believes, based on the mitigation steps the company provided, that these are pre-auth vulnerabilities that can be remotely exploited on publicly accessible devices. SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks, CRN (opens in new tab) noticed, following FireEye, SolarWinds, CrowdStrike and Mimecast.
The attack against CrowdStrike was unsuccesful, the company confirmed at the time.
While there is no official confirmation, many publications are speculating that all of these attacks might have been carried out by the same team that breached SolarWinds – Russian, state-sponsored APT29.
- Best antivirus software of 2021 (opens in new tab)