Hackers Are Exploiting Zero-Day Vulnerability In SonicWall SMA 100 Devices

Network security provider SonicWall has confirmed that its Secure Mobile Access (SMA) 100 series was hit by a zero-day vulnerability. The company also stated that the zero-day has been exploited.

According to the firm, the bug affects the SMA 100 firmware 10.x code. SonicWall stated that thousands of devices have been exposed due to the zero-day vulnerability. However, the cybersecurity provider stated that it will provide patches for the vulnerability soon. 

But for now, clients should beef up their security systems and follow cybersecurity protocols . The company has also shared recommendations in the meantime for customers to protect their systems and network against potential attacks.

On January 22, SonicWall revealed that a sophisticated threat actor is launching a coordinated attack on its internal systems.” According to that report, the security outfit also stated that the threat actors were able to explore zero-day vulnerabilities in some of the secure remote access products of the company.

However, the recent update on Monday is coming barely 24 hours after the NCC Group revealed on Twitter that it had identified an “indiscriminate use of an exploit in the wild.” The NCC report was in line with SonicWall’s assertion about the presence of zero-days. 

Monday’s update by SonicWall stated that the NCC group’s submission of the claim also included a “critical zero-day” in the SMA 100 series. The bug is currently being tracked by SonicWall as SNWLID-2021-0001 .

The company initially said its SMA 100 series products and NetExtender VPN clients may have been affected. However, it later determined that the SonicWall APs, SMA 1000 series devices, SonicWall firewalls, and NetExtender VPN clients are not affected.

The SMA 100 series is still being investigated to find out whether it was affected. The firm shared an update on January 29, stating that it hasn’t confirmed the presence of zero-day vulnerability impacting the products.

The details about the vulnerability and its exploits have been made public to prevent further exploitation of zero-day, pending when a patch for the update will be ready.

“SMA 100 firmware before 10.x is unaffected by this zero-day vulnerability,” Sonicwall stated.

Last week, the company stated that it has issued an upgrade to the zero-day vulnerability. It added that it has discovered the use of stolen credentials from previous hacks to gain access to the SMA 100 series appliances.

SonicWall has refused to disclose any further details about the vulnerability to enable a smooth investigation.

The cybersecurity firm has also recommended that its customers enable multi-factor authentication (FMA) and reset user passwords, especially for those accounts that use SMA 100 series with 10.X firmware.

“If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall,” SonicWall pointed out.

The firm also stated that the users can also opt to shut down the SMA 100 series devices until they can receive the patch or update for the vulnerable device. They can also try loading the 9.x firmware version after rebooting the factory default settings.

SonicWall is one of the companies that have been affected by a zero-day exploit in the past month. In fact, other large companies with a broad customer base have also been affected. These include Malwarebytes, FireEye, Microsoft, and SolarWinds . The attack on SolarWinds seems to have a connection with most of the firms above. Many of the attacks followed after the breach of the SolarWinds server.

Crowdstrike was also attacked, but the company said the attack was not successful. SonicWall did not say whether the threat actors are part of an organized hacking syndicate linked to the hack of SolarWinds. But the sophisticated nature of the attack has led to speculation that both of them are connected somehow.