SonicWall breached through 'probable' zero-day vulnerabilities

SonicWall was breached by threat actors using "probable" zero-day vulnerabilities in its own products, though the company said it is still investigating that attack.

The security vendor disclosed in a blog post Friday evening that it "identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."

While the original post listed version 10.x on both SonicWall's NetExtender VPN client and Secure Mobile Access (SMA) products, an update to the blog published late Jan. 23 clarified that only the SMA 100 series is under investigation and NetExtender has been ruled out. SonicWall Firewalls, SMA 1000 series (the enterprise version of the SMB-focused 100 series) and SonicWave Access Points have likewise been ruled out.

The SMA 100 section of SonicWall's blog update specified that while the product is under investigation, "SMA 100 series products may be used safely in common deployment use cases." On a product notification page dedicated to the investigation, the company elaborated that current customers "may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation." The page also instructs admins to "create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability."

UPDATE: SonicWall told SearchSecurity Monday evening that the guidance to disable Virtual Office and the HTTPS administrative interface no longer applies and the information has been removed from the product notification page.

Currently, SonicWall has not confirmed the existence of zero-day vulnerabilities in the SMA 100 series, and as such, there are no patches or security updates available for the product.

SonicWall didn't provide any information on the suspected threat actors behind the breach. However, the original post said that SonicWall "has seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations." The update references "the ongoing attacks on global business and government."

It's unclear if these references to "ongoing attacks" against government, businesses and critical infrastructure refer to the SolarWinds attacks, in which nation-state threat actors used malicious software updates for SolarWinds' Orion IT management platform to gain access to several technology companies and federal agencies in the U.S.

SearchSecurity asked SonicWall about whether there was indication of a nation-state attack, which systems were impacted and whether customers were impacted. The company declined to comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.