Cybersecurity company SonicWall was targeted with a coordinated attack on its internal systems, threat actors exploited zero-day vulnerabilities in their VPN solutions, such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA).
The Hacker News was the first media to receive reports that SonicWall’s internal systems were unavailable since Tuesday and that the source code hosted on the company’s GitLab repository was accessed by the attackers. SonicWall has immediately launched an investigation into the incident. Below is the list of affected products shared by @thehackernews :
⚠️ NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
⚠️ Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance..
SonicWall published an Urgent Security Notice for NetExtender VPN Client 10.X, SMA 100 Series vulnerability that includes a series of recommendations for its customers.
FOR SMA 100 SERIES the vendor recommends to use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.
FOR FIREWALLS WITH SSL-VPN ACCESS VIA NETEXTENDER VPN CLIENT the security firm recommends organizations using VERSION 10.X to disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs. SonicWall also recommends enabling multi-factor authentication on all SONICWALL SMA, Firewall & MYSONICWALL accounts.