SonicWall’s ‘NetExtender VPN’ Hacked by Highly Sophisticated Actors

• Highly sophisticated actors have managed to infiltrate SonicWall using zero-days against its own products.
• The firm has detected the activity and identified the exploits, but not before the actors had accessed its internal systems.
• An urgent security notice has been issued, giving advice on MFA and specific configuration to help clients stay safe.

‘SonicWall’, the American internet appliance and award-winning network security company, has announced the occurrence of a coordinated attack against its internal systems. As the firm explained, the infiltrators appear to be highly sophisticated threat actors as they leveraged zero-day vulnerabilities in the ‘NetExtender VPN’ client and the ‘Secure Mobile Access’ made by the company itself and used internally by the employees.

According to reports that surfaced on The Hacker News, SonicWall has had some notable outage events earlier in the week, a result of the aforementioned hack. As for what the hackers managed to access before they were eventually thwarted, the main thing was source code hosted on the company’s GitLab repository. However, this hasn’t been officially confirmed by SonicWall, so we’re reproducing it with prudence.

The company has identified the zero-days used by the hackers and is in the process of addressing them with a fixing patch. Naturally, this will take some time, so owners of the affected products are urged to read the security notice issued by the firm today and follow the instructions on how to apply effective mitigations. Most importantly, enabling multi-factor authentication on all SonicWall products.

The impacted products are the following:

• NetExtender VPN client version 10.x (released in 2020), utilized to connect to SMA 100 series appliance and SonicWall firewalls.
• Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.

The firm clarifies that the SMA 100 Series isn’t susceptible to the identified flaws. The NetExtender 10.x could also be invincible to attacks of this kind depending on their whitelisting and firewall access configuration. For more details on that, check out the urgent security notice.

This is yet another example of a large security vendor falling victim to sophisticated hackers, potentially opening up a channel for supply chain attacks targeting high-profile clients of the company. It happened with SolarWinds leading to the subsequent compromise of FireEye, Microsoft, Malwarebytes, and more.

In SonicWall’s case, we have a different path but of the same level of sophistication. Certainly, access to its products’ source code isn’t a good thing, but at least the firm detected the malicious activity before the actors had the chance to use them as a stepping stone to accessing its clients' systems.