[BreachExchange] SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws

[Destry Winant]

https://www.securityweek.com/sonicwall-says-internal-systems-targeted-hackers-exploiting-zero-day-flaws

[UPDATE] Cybersecurity firm SonicWall said late on Friday that some of
its internal systems were targeted by “highly sophisticated threat
actors” exploiting what appear to be zero-day vulnerabilities
affecting some of the company’s products.

SonicWall provides network, access, email, cloud, and endpoint
security solutions. The company said the attackers may have exploited
zero-day vulnerabilities in some of its secure remote access products,
namely its Secure Mobile Access (SMA) client version 10.x running on
SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA
500v virtual appliance.

The company previously said that NetExtender VPN client version 10.x,
which is used to connect to SMA 100 series appliances and SonicWall
firewalls was impacted, but after futher analysis, the company sad
this is NOT the case.

The comany also clarified late Saturday that SMA 1000 Series
appliances, SonicWave Access Points, and SonicWall Firewalls are not
affected.

The SMA 100 Series product remains under investigation, SonicWall said.

SonicWall has issued an alert with recommendations on what users of
the impacted products should do to prevent potential attacks until
patches are made available.

The company described the incident as a “coordinated attack.”

Before the news broke, SecurityWeek received an anonymous email
claiming that SonicWall was hit by ransomware and that hackers managed
to steal “all customer data.”

A second anonymous email to SecurityWeek said all internal systems
went down on Tuesday at SonicWall and that the attackers left a
message on Wednesday asking to be contacted by the company’s CEO. The
same individual also claimed all source code was stolen from
SonicWall’s GitLab repository as a result of the breach.

A screenshot described as proof that the hackers had full access to
all internal systems at SonicWall only showed the results of a search
conducted using the Shodan search engine.

SonicWall made no mention of ransomware or if any data may have been
compromised, and SecurityWeek has not been able to independently
confirm the claims — they could be false claims that may have nothing
to do with the actual breach suffered by SonicWall.

Unfortunately, the company has not provided any visibility into any
actions taken by the attackers beyond exploiting zero-days, leaving
customers, partners and other wondering.

SecurityWeek has reached out to SonicWall for additional information.