SonicWall has issued a critical alert regarding active exploitation efforts targeting a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices. This vulnerability affects both physical and virtual SMA 100 10.x devices, covering models such as the SMA 200, 210, 400, 410, and 500v.
This issue came to light following a warning from NCC Group, which reported detecting widespread exploitation attempts. While specific details about the exploit remain undisclosed to mitigate the risk of further attacks, SonicWall anticipates releasing a patch by the end of February 2, 2021.
The company indicated that several thousand devices could be affected, noting that firmware versions prior to 10.x are not vulnerable. The revelation follows a breach of SonicWall’s systems due to what appears to be coordinated attacks exploiting other zero-day vulnerabilities. For instance, on January 29, SonicWall confirmed that attackers had previously leveraged stolen credentials to access these devices.
The ongoing investigation suggests that the zero-day vulnerability in the SMA 100 series 10.x code may have played a significant role in these breaches. SonicWall has assigned the identifier SNWLID-2021-0001 to this vulnerability for internal tracking.
Interestingly, SonicWall clarified that its firewalls and SMA 1000 series appliances remain unaffected. The company urges its customers to enable multi-factor authentication (MFA) and reset passwords for accounts associated with the SMA 100 series devices. Organizations are also advised to restrict access on firewalls and consider deactivating the vulnerable devices until the patch is released.
In a positive turn, SonicWall has now released a patch addressing the identified vulnerabilities within the SMA 100 series 10.x code. The company emphasizes that all users with active devices should apply this patch without delay. While detailed information about the nature of the vulnerability remains sparse, remarks from NCC Group imply a potential link to an authentication bypass. This reinforces the need for businesses to remain vigilant against such security gaps.
From an adversary tactics perspective, the MITRE ATT&CK framework suggests that these incidents could involve techniques such as initial access through credential theft, persistence by maintaining access via compromised accounts, and possible privilege escalation—each critical in enabling the attackers to exploit the vulnerability effectively.
As the cybersecurity landscape continues to evolve, maintaining a proactive stance on vulnerability management and ensuring compliance with best practices are imperative for organizations. For the tech-savvy business owner, understanding these dynamics is crucial to safeguarding their operations against sophisticated cyber threats.
