SonicWall zero-day exploited in the wild
Cyber-security firm the NCC Group said on Sunday that it detected active exploitation attempts against a zero-day vulnerability in SonicWall networking devices.
ZDNET Recommends
Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
"We've seen it used by a single threat actor earlier in the week. We were just standing the honeypot up at the time so didn't get the full request," Rich Warren, a security researcher for the NCC Group, told ZDNet.
"That led us to do some reverse engineering based on the request path, and we found the bug we believe the attacker was using."
NCC researchers said they notified SonicWall of the bug and the attacks over the weekend.
The researchers believe they identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall's own internal network in a security breach the company disclosed on January 23.
The January 23 zero-day impacted Secure Mobile Access (SMA) gateways, a type of networking device that is used inside government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall listed SMA 100 Series devices as impacted by the January 23 zero-day.
A SonicWall spokesperson did not return a request for comment to confirm if NCC researchers discovered the same zero-day or a new one. The company did, however, silently update its January 23 security advisory to list the NCC finding and promise a fix until the end of the day, Feb. 2.
It listed as impacted physical and virtual SMA 100 10.x devices: SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v.
Per the @SonicWall advisory - https://t.co/teeOvpwFMD - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
Responding on Twitter to requests to share more details on the attack so security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the management interface of SonicWall devices to only IPs of authorized personnel.
They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.
Yes. It wouldn't prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended
— Rich Warren (@buffaloverflow) January 31, 2021
Article updated at 8am ET with comments from Warren.