SonicWall, a leading provider in internet security solutions such as firewalls and VPNs, recently acknowledged that it has been targeted in a sophisticated cyberattack affecting its internal infrastructure.
The San Jose-based firm reported that the intrusion exploited zero-day vulnerabilities associated with its secure remote access offerings, specifically the NetExtender VPN client (version 10.x) and the Secure Mobile Access (SMA) products, which facilitate remote entry to company resources.
In an exclusive statement to The Hacker News, SonicWall conveyed that the attack appears to have been orchestrated by highly advanced adversaries who likely exploited vulnerabilities considered zero-day in certain remote access tools.
This incident follows reports received earlier in the week regarding downtime experienced by SonicWall’s internal systems on Tuesday, with indications that attackers managed to access source code stored in the company’s GitLab repository.
While SonicWall has refrained from confirming these details definitively, the company has promised to update stakeholders as more information emerges regarding this security breach.
The compromised products reportedly include the NetExtender VPN client (version 10.x), designed for connectivity to SMA 100 series appliances, and the Secure Mobile Access (SMA) solution (version 10.x) utilized on various hardware models including the SMA 200 and SMA 400 appliances.
In response to these vulnerabilities, SonicWall stated that its SMA 1000 series remains secure, employing different clients than those breached. They have also issued a security advisory recommending organizations enable multi-factor authentication, restrict NetExtender access, limit public IP address access, and implement whitelisting measures.
In the broader context, various cybersecurity firms such as FireEye, Microsoft, and CrowdStrike have also faced targeted attacks in the wake of the notorious SolarWinds supply chain incident. This latest attack on SonicWall underscores escalating risks to organizations that provide critical cybersecurity infrastructure.
The investigation into this incident is ongoing, and while SonicWall has clarified that their NetExtender clients are no longer deemed at risk from the identified vulnerabilities, they continue to scrutinize other affected systems. Further details on the tactics employed by the adversaries remain sparse, but potential MITRE ATT&CK tactics involved may include initial access through exploited vulnerabilities and persistence mechanisms to maintain their foothold.
Updates from SonicWall are anticipated as they continue to explore the scope of the breach and its implications for users and partners alike.
