Network security provider SonicWall said on Monday that hackers are exploiting a critical zeroday vulnerability in one of the devices it sells.
The security flaw resides in the Secure Mobile Access 100 series, SonicWall said in an advisory updated on Monday. The vulnerability, which affects SMA 100 firmware versions 10.x, isn’t slated to receive a fix until the end of Tuesday.
Monday’s update came a day after security firm NCC Group said on Twitter that it had detected “indiscriminate use of an exploit in the wild.” The NCC tweet referred to an earlier version of the SonicWall advisory that said its researchers had “identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we’ve also seen indication of indiscriminate use of an exploit in the wild – check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
In an email, an NCC Group spokeswoman wrote: “Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth.”
In Monday’s update, SonicWall representatives said the company’s engineering team confirmed the submission by NCC Group included a “critical zero-day” in the SMA 100 series 10.x code. SonicWall is tracking it as SNWLID-2021-0001. The SMA 100 series is a line of secure remote access appliances.
The disclosure makes SonicWall at least the fifth large company to report in recent weeks that it was targeted by sophisticated hackers. Other companies include network management tool provider SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also reported being targeted but said the attack wasn’t successful.
Neither SonicWall nor NCC Group said that the hack involving the SonicWall zeroday was linked to the larger SolarWinds hack campaign. Based on the timing of the disclosure and some of the details in it, however, there is widespread speculation that the two are connected.
NCC Group has declined to provide additional details before the zeroday is fixed to prevent the flaw from being exploited further.
People who use SonicWall’s SMA 100 series should read the company’s advisory carefully and follow stopgap instructions for securing products before a fix is released. Chief among them:
- If you must continue operation of the SMA 100 Series appliance until a patch is available
- Enable MFA. This is a *CRITICAL* step until the patch is available.
- Reset user passwords for accounts that utilized the SMA 100 series with 10.X firmware
- If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall;
- Shut down the SMA 100 series device (10.x) until a patch is available; or
- Load firmware version 9.x after a factory default settings reboot. *Please back up your 10.x settings*
- Important Note: Direct downgrade of Firmware 10.x to 9.x with settings intact is not supported. You must first reboot the device with factory defaults and then either load a backed up 9.x configuration or reconfigure the SMA 100 from scratch.
- Ensure that you follow multifactor authentication (MFA) best practice security guidance if you choose to install 9.x.
SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and remain safe to use.
This post was updated to correct the description of the SMA 100.