SonicWall says it was hacked using zero-days in its own products

The networking device vendor has published a series of mitigations as it's investigating the incident and preparing patches.
Written by Catalin Cimpanu, Contributor

Networking device maker SonicWall said on Friday night that it is investigating a security breach of its internal network after detecting what it described as a "coordinated attack."

In a short statement posted on its knowledgebase portal, the company said that "highly sophisticated threat actors" targeted its internal systems by "exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."

Also: Best VPNs • Best security keys • Best antivirus     

The company initially listed NetExtender VPN clients and the Secure Mobile Access (SMA) gateways as impacted, but in an update several hours later said that only devices part of its SMA 100 series appliances are still under investigation as containing a zero-day vulnerability.

Patches for the zero-day vulnerabilities are not available at the time of writing.

To help keep its own customers' networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.

SonicWall also urged companies to enable two-factor authentication options in its products for admin accounts.

The networking device maker, whose products are often used to secure access to corporate networks, now becomes the fourth security vendor to disclose a security breach over the past two months after FireEyeMicrosoft, and Malwarebytes.

All three previous companies were breached during the SolarWinds supply chain attack. CrowdStrike said it was targeted in the SolarWinds hack as well, but the attack did not succeed.

Cisco, another major vendor of networking and security devices, was also targeted by the SolarWinds hackers. The company said last month it was investigating if attackers escalated their initial access from the SolarWinds products to other parts of its network.

Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack.

Article updated on January 25 with new information from the updated SonicWall advisory.

Editorial standards