Attack targets SonicWall's SMA Series access management gateways and is another in a string of incidents against security vendors. Credit: D-Keine / Getty Images Firewall and network security appliance manufacturer SonicWall is urging customers to take preventive actions after its own systems were attacked through previously unknown vulnerabilities in some of its products. “Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” the company said in an alert on its website late Friday.Initially the company suspected that several of its Secure Mobile Access (SMA) series physical and virtual appliances, as well as the NetExtender VPN client and SonicWall firewalls were vulnerable. However, after further investigation, the list of vulnerable products was revised Saturday.The company determined that no generation of SonicWall firewalls is impacted and neither are the NetExtender VPN client, SonicWall SonicWave APs or SMA 1000 Series. The only vulnerable products remain the SMA 100 series appliances which include SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v (virtual). The SMA 100 series appliances are access management gateways for small- and medium-sized businesses that allow them to provide browser-based and VPN-based access to remote employees to the company’s internal resources, or even hybrid resources hosted in the cloud. It can be combined with a VPN-client such as the NetExtender VPN client. “Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series,” the company said. “We have determined that this use case is not susceptible to exploitation.”SMA 100 Series customers urged to take actionAccording to the company, it is critical for SMA 100 series customers to enable multi-factor authentication. SMA supports time-based one time passwords (TOTP) generated with mobile apps such as Google Authenticator. TOTP can also be enabled to work in addition to LDAP authentication for SSL-VPN connections on SonicWall appliances. An additional recommendation is to enable the Geo-IP/botnet filtering to create a policy to block web traffic from countries that don’t need to access applications through the SMA appliance. It’s also advisable to enable and configure the End Point Control feature which forces a security check of the user’s environment and device before allowing a VPN connection to be established. Administrators can also use the Login Schedule feature to create a policy and timetable of when users are allowed to be authenticated and when they should be automatically logged off. Instructions on configuring these features are included in the SMA 10.2 administration guide.SonicWall attacker motives unclearIt’s not clear what the hackers who targeted SonicWall were after and whether their goal was cyberespionage or had a financial motive, like with ransomware and other types of extortion. The company did not release any information about attack payloads, tools or other indicators of compromise (IOCs). A SonicWall representative tells CSO via email that the company is not divulging additional information at this time beyond what was released in its alert.Attackers targeting security vendorsSonicWall is the third cybersecurity vendor to recently announce a security breach after FireEye and Malwarebytes. Both FireEye and Malwarebytes were targeted by the same threat actor that is associated with the Russian intelligence services and which was also responsible for the larger software supply chain attack involving poisoned SolarWinds software updates. Malwarebytes was targeted through a different attack vector involving applications with privileged access to Microsoft Office 365 and Azure environments. A similar attack vector was attempted against cybersecurity firm CrowdStrike.While there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, it’s clear that hackers in general are no longer holding back from targeting even the most security-aware organizations — the security vendors themselves.Editor’s note: This article was updated on January 26, 2021, to reflect the most recent advice from SonicWall. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe