Attack targets SonicWall's SMA Series access management gateways and is another in a string of incidents against security vendors. Credit: D-Keine / Getty Images Firewall and network security appliance manufacturer SonicWall is urging customers to take preventive actions after its own systems were attacked through previously unknown vulnerabilities in some of its products. “Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” the company said in an alert on its website late Friday.Initially the company suspected that several of its Secure Mobile Access (SMA) series physical and virtual appliances, as well as the NetExtender VPN client and SonicWall firewalls were vulnerable. However, after further investigation, the list of vulnerable products was revised Saturday.The company determined that no generation of SonicWall firewalls is impacted and neither are the NetExtender VPN client, SonicWall SonicWave APs or SMA 1000 Series. The only vulnerable products remain the SMA 100 series appliances which include SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v (virtual). The SMA 100 series appliances are access management gateways for small- and medium-sized businesses that allow them to provide browser-based and VPN-based access to remote employees to the company’s internal resources, or even hybrid resources hosted in the cloud. It can be combined with a VPN-client such as the NetExtender VPN client. “Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series,” the company said. “We have determined that this use case is not susceptible to exploitation.”SMA 100 Series customers urged to take actionAccording to the company, it is critical for SMA 100 series customers to enable multi-factor authentication. SMA supports time-based one time passwords (TOTP) generated with mobile apps such as Google Authenticator. TOTP can also be enabled to work in addition to LDAP authentication for SSL-VPN connections on SonicWall appliances. An additional recommendation is to enable the Geo-IP/botnet filtering to create a policy to block web traffic from countries that don’t need to access applications through the SMA appliance. It’s also advisable to enable and configure the End Point Control feature which forces a security check of the user’s environment and device before allowing a VPN connection to be established. Administrators can also use the Login Schedule feature to create a policy and timetable of when users are allowed to be authenticated and when they should be automatically logged off. Instructions on configuring these features are included in the SMA 10.2 administration guide.SonicWall attacker motives unclearIt’s not clear what the hackers who targeted SonicWall were after and whether their goal was cyberespionage or had a financial motive, like with ransomware and other types of extortion. The company did not release any information about attack payloads, tools or other indicators of compromise (IOCs). A SonicWall representative tells CSO via email that the company is not divulging additional information at this time beyond what was released in its alert.Attackers targeting security vendorsSonicWall is the third cybersecurity vendor to recently announce a security breach after FireEye and Malwarebytes. Both FireEye and Malwarebytes were targeted by the same threat actor that is associated with the Russian intelligence services and which was also responsible for the larger software supply chain attack involving poisoned SolarWinds software updates. Malwarebytes was targeted through a different attack vector involving applications with privileged access to Microsoft Office 365 and Azure environments. A similar attack vector was attempted against cybersecurity firm CrowdStrike. While there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, it’s clear that hackers in general are no longer holding back from targeting even the most security-aware organizations — the security vendors themselves.Editor’s note: This article was updated on January 26, 2021, to reflect the most recent advice from SonicWall. Related content feature What are non-human identities and why do they matter? When digital systems need access and permissions they require credentials just like human beings. These non-human identities allow many components of complex systems to work together but present significant security issues. By Chris Hughes Jun 03, 2024 8 mins Access Control Identity and Access Management Network Security news Microsoft: The brand attackers love to imitate Cybercriminals often hide attack attempts behind well-known brand names with the intent to trick targeted users into making the fatal click. Microsoft is their favorite — by far. By Martin Bayer Jun 03, 2024 3 mins Phishing Email Security Cybercrime news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe