Cybersecurity firm SonicWall, popularly known to provide security products like firewall and VPN access tools, in the wee hours of Friday night disclosed that it was compromised by attackers who targeted zero-day vulnerabilities in its VPN tools. Initially, SonicWall reported that the impacted products included the NetExtender VPN client version 10.x (released in 2020) and Secure Mobile Access (SMA) version 10.x. However, an updated release on the following day stated that NetExtender VPN was safe to use while investigations for SMA were still ongoing.
What was Compromised in the SonicWall Hack?
The coordinated successful attack on SonicWall’s internal systems meant that the attackers had access to the company’s GitLab repository. This repository hosts the source codes of its various product offerings, including the NetExtender VPN and Secure Mobile Access, which the company had reported as “affected” in its first Security Notice.
In the age of working from home, the NetExtender VPN client and SMB-oriented SMA 100 series provide employees/users of SonicWall’s clients with secure remote access capabilities to internal resources. However, the exploitation of the zero-day vulnerabilities sure rings some alarm bells. The company was also quick to state that its other product series, the SMA 1000, was not susceptible to the vulnerability and utilizes clients different from NetExtender.
In the security note published by the company to update its customers on the ongoing investigation, it asked organizations to enable two-factor or multi-factor authentication, disable NetExtender access to the firewall, follow restricted access to users and admins from public IP addresses, and configure whitelist access on the SMA directly to mitigate the flaws.
However, the recommendations can be implemented based on the products that its clients use because SonicWall’s updated version deemed its Firewalls, NetExtender VPN Client, SMA 1000 Series, and SonicWave APs as “Not Affected” and completely fit to continue operations without any actions required from its customers or partners. However, as informed earlier, SonicWall’s flagship product – SMA 100 Series – is still under investigation, and the cybersecurity firm has asked its current SMA 100 customers to continue using NetExtender for remote access with this series.
With several cybersecurity vendors such as FireEye, Microsoft, Crowdstrike, and Malwarebytes being targeted by cyberattacks amid the SolarWinds supply chain hack, the latest breach of SonicWall has again sent tremors across its clients, mainly because if the source code were accessed then the threat actors behind this attack could have searched for vulnerabilities that could be exploited in future. It is also probable that they could have planted various malware, like in the SolarWinds attack, to exploit and move laterally into its clients’ networks. For the time being, we can only hope it is not the same as the SolarWinds hack.