NCC Group, a cybersecurity firm has just recently reported that a SonicWall SMA zero-day vulnerability is actively being attacked. It was only last January 22 that SonicWall disclosed to the public an exploitation in their internal systems. However, it was still unsure whether a zero-day vulnerability was present in some networking services. Now, another exploitation has happened, and SonicWall has confirmed a zero-day vulnerability.
As reported by Bleeping Computer, confirmation of zero-day attack followed after investigation. As of the moment, they are still digging deeper into the cause of the attack. Although they have not provided much information, they stated that their SMA 100 series line of remote access appliances are highly likely to be affected. The following are SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v.
SonicWall Confirms NCC Group's Findings
In the tweet released by NCC group, they have updated users in a timely manner that the SMA 100 series are affected once again. In an interview with NCC group via Bleeping Computer, the firm said, "Our team has observed signs of attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth."
According to ZDNet, at this point, it seems that the SonicWall SMA is being actively exploited in numerous instances and thus needs further investigation to prevent it from happening again. It is not clear yet if the recent attack has the same level of vulnerability as the attack that was disclosed by SonicWall on their official website, but NCC group believes it could pose a similar threat.
Per the @SonicWall advisory - https://t.co/teeOvpwFMD - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
NCC group is keen on not disclosing any details that may be used by attackers or that may cause unnecessary panic.However, they have advised administrators to be on the lookout for unusual IP addresses that try to hack the access logs of the management interface in Sonicwall. Moreover, Richard Warren who is a principal security consultant from NCC Group said that by trying to mitigate the situation, attackers will have limited access to the management interface of SonicWall. Thus, security measures need to be implemented as advised.
Yes. It wouldn't prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended
— Rich Warren (@buffaloverflow) January 31, 2021
Read more: Cybersecurity: SonicWall Threat Report Shows Malware Slightly Dropped, But Ransomware Surged In 2016
SonicWall Takes Action Following Exploitation, Advices Users to Downgrade to 9.x Firmware
In response to the exploitation, SonicWall has revealed that their management and administrators will be enabling a multi-factor authentication (MFA) as a security measure for all devices. Moreover, they recommend the need to set up IP address restrictions to further protect the management interface.
MFA should be enabled on all devices in order to prevent further damage. Management interface should also be limited only to known IP address users.
As SonicWall updated their security advisory, they confirmed the zero-day vulnerability discovered in first hand by the NCC group. As they are still developing the fix to the issue, SonicWall recommends in their official security advisory to do a downgrade of their devices in order to utilize 9.x firmware. By downloading the firmware, users will be able to reset the system to prevent it from further attack.
Related Article: [BEWARE] COVID-19 is also a Malware Infecting PCs: Users, Watch Out!
This article is owned by Techtimes
Written by Nikki D
