IT administrators with SonicWall’s Secure Mobile Access SMA 100 devices running on their networks are being warned to implement added protection after the company discovered what it calls a “coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities.”
For the time being, administrators should create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while it continues to investigate the vulnerability, the company’s latest update says.
UPDATE: On February 1 SonicWall issued a statement saying it has confirmed a critical zero-day vulnerability in SMA 100 series devices running firmware with version 10.x code.
While an initial alert told admins not to use the company’s NetExtender VPN client for remote access, an updated advisory on Sunday said that after an investigation it could advise current SMA 100 Series customers to continue using the client. “We have determined that this use case is not susceptible to exploitation,” the company noted.
The update also said other products initially thought vulnerable are safe. These include:
- SonicWall Firewalls: “All generations of SonicWall firewalls are not affected by the vulnerability impacting the SMA 100 series No action is required from customers or partners.”
- NetExtender VPN Client: “While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners.”
- SMA 1,000 Series: “This product line is not affected by this incident. Customers are safe to use SMA 1,000 series and their associated clients. No action is required from customers or partners.”
- SonicWall SonicWave APs: “No action is required from customers or partners.”
The SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) is aimed at small and medium-sized organizations of up to 100 employees for remote access to corporate resources hosted on-premise, in the cloud and in hybrid data centres.
The warnings began late Friday when SonicWall issued an urgent security notice about the SMA line and NetExtender client. But in that initial warning, the company urged admins to enable multifactor authentication on all SonicWall SMA, and MySonicWall accounts.
SecurityWeek reported that before the news broke, it received an unverified anonymous email claiming that SonicWall was hit by ransomware and that hackers managed to steal “all customer data.” A second unverified anonymous email said all SonicWall internal systems went down last Tuesday and that the attackers left a message on Wednesday asking to be contacted by the company’s CEO. The same individual also claimed all source code was stolen from SonicWall’s GitLab repository as a result of the breach.
Meanwhile, BleepingComputer reported that it was contacted last Wednesday by a threat actor who said they had information about a zero-day in an unspecified but “well-known” firewall vendor. “I have information about hacking of a well-known firewall vendor and other security products by this they are silent and do not release press releases for their clients who are under attack due to several 0 days in particular very large companies are vulnerable technology companies,” the email read.