SonicWall revealed Friday night that actors made a very vicious threat of an attack on their internal systems by exploiting a possible zero-day fault on the company’s secure remote access products.
Calif.-based platform security vendor Milpitas said. That the compromised NetExtender VPN client and Secure Mobile Access (SMA) 100 series products are used to provide remote access to employees and users of internal facilities. The SMA 1000 series is not vulnerable to this attack and uses different messages from NetExtender, according to SonicWall.
“We believe it is extremely important to be transparent with our customers, our partners and the wider cybersecurity community about the ongoing attacks on global business and government,” SonicWall wrote in “ Emergency security alert ”posted on its result notifications webpage at 11:15 pm ET Friday. The company said the coordinated attack on its systems had been marked “recently. ”
[Related: SolarWinds Hackers Access Malwarebytes’ Office 365 Emails]
SonicWall declined to answer questions as to whether the attack on its internal systems was carried out by the same threat actor who entered malicious code for the Orion SolarWinds network monitoring engine for months. However, the company noted that they are seeing a “significant increase” in cyberattacks against companies that provide critical infrastructure and security controls to governments and businesses.
The company said it is offering discount offers to channel partners and customers. Multi-factor authentication must be enabled on all SonicWall SMA accounts, firewall and MySonicWall, according to SonicWall.
Products involved in the SonicWall hack include: the NetExtender VPN 10.x user version (released in 2020) used to connect to SMA 100 series devices and SonicWall firewalls; as well as SMAWall’s SMA version 10.xa running on SMA 200, SMA 210, SMA 400, SMA 410 physical devices and the 500A SMA virtual machine.
SonicWall partners and customers using the SMA 100 series should either use a firewall to allow SSL-VPN connections to the SMA device from known / white IPs or to access whitelist arrange on the SMA directly itself, according to the company.
For firewalls with SSN-VPN access using the compromised version of the NetExtender VPN client, partners and customers should both have NetExtender access to the firewall (s) ) disable or block access to users and messengers through a token / whitelist for their public IPs, according to SonicWall.
SonicWall is the fifth real-time cybersecurity vendor to launch a public attack over the past seven weeks. FireEye blew up the roof where the SolarWinds campaign took place Dec. 8 when the company said it was cracked down on an attack designed to gain information about some of their government customers. The attacker was able to gain access to some of FireEye’s internal systems, the company said.
CrowdStrike then announced Dec. 23 that it had been notified eight days earlier by Microsoft’s Risk Information Center, which had identified a reseller Microsoft Azure account making unusual calls to Microsoft’s cloud APIs over a 17- once several months ago, according to CTO Michael Sentonas.
The vendor’s Azure account was used to manage Microsoft Office licenses at CrowdStrike, and hackers failed in their attempt to read the company’s email because CrowdStrike does not use Office 365 email , according to Sentonas.
Mimecast then announced Jan. 12 that a solemn threat actor had used a certificate issued by Mimecast to authenticate several of the company’s products to Microsoft 365 Exchange Web Services. The compromise certificate was used to test Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protection (IEP) results to Microsoft 365, the company announced.
Mimecast declined to answer CRN’s questions as to whether its breach was committed by the same organization that attacked SolarWinds. But three cybersecurity officials told Reuters Jan. 12 that they suspected that the hackers that harmed Mimecast were the only group that broke into SolarWinds. The Washington Post reported that the SolarWinds attack was carried out by Russia’s foreign intelligence service.
Malwarebytes recently announced Tuesday that the SolarWinds hackers were receiving a temporary e-mail product within the Office 365 subscriber that allowed them access to a limited subset of internal company emails . Malwarebytes itself does not use SolarWinds Orion, and learned about the attack from Microsoft following suspicious activity from a third-party application in the company’s Office 365 subscriber.