Firewall and network security vendor SonicWall has issued a set of security advisories since Friday. It has warned: “SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
The company initially warned of Friday of problems with both its NetExtender VPN software and its Secure Mobile Access (SMA) 10.x software. The concern was that the attacks would compromise any use of the two remote access solutions across a wide range of appliances. That includes all products in the SMA 100 series.
On Saturday, the company updated its advisory saying that there was no risk to the NetExtender software. It also said that the appliances themselves are safe and can continue to be used with NetExtender but not its SMA 10.x software. It said: “We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability.”
The news that NetExtender can be used will come as a welcome relief to customers. On Friday, the company said that the attack also affected that product. It meant that customers would have to choose between disabling all remote access which would cause significant disruption.
What does SonicWall know about the attack?
The company is being fairly circumspect about what it says about this issue. It has admitted that the attack seems to be related to a zero-day vulnerability. However, it is providing no details of the vulnerability or details on how to remediate. That includes no Indicators of Compromise that IT security teams would use to detect and block attacks.
Back in December when the SolarWinds attack became public, SonicWall was quick to say it was not a customer. That removes one route by which it may have been compromised. However, it does not rule out that the attack is connected to the same group of Russian attackers. Just a week ago another security company, Malwarebytes, said that it had been targeted by nation-state attackers.
Enterprise Times: What does this mean?
There is no surprise that cybercriminals are targeting security companies. As work from home continues due to the pandemic, remote workers are easy targets. If attackers can compromise the VPN software and other security tools users rely on, they can gain easy access to businesses. With fewer security staff in the office and some still spending more time supporting users rather than securing the business, such attacks may go unnoticed for some time.
SonicWall has acted quickly to update its channel and customers with information about this attack. That the attack does not affect its NetExtender product will be good news for the company given how widely it is used by its customer base. What customers will want to know now is how can they detect any compromise? That means SonicWall has to issue a set of IoCs and a patch to allow security teams to act.