Security firm SonicWall insists its VPN and firewalls are safe to use after suffering what it described as a serious "coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."
Santa Clara, US-based SonicWall initially suspected a vulnerability in its NetExtender VPN client after a breach first reported January 22, but in an update over the weekend said it had narrowed the vector/vuln down to its SMA 100 Series -- a "secure remote access solution" to underpin policy-enforced access control to users or devices. (The product is targeted at SMEs; it can be deployed on-prem, virtual and public cloud data centres.)
Absent a patch (pending) SonicWall urges customers to use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or to configure whitelist access on the SMA directly itself. (Step-by-step guidance on doing that can be found here.)
It is highly likely that SonicWall customers have been attacked a result of the compromise. The company made no indication in its update on when it was first alerted to the compromise or what data was accessed.
SonicWall hacked: Breach latest in series of security product attacks.
SonicWall is the latest security vendor to fall victim to a successful attack on its products and systems: the incident follows hot on the heels of a major compromise of FireEye. Microsoft has also admitted (providing minimal details) that a 0day in its Microsoft Defender security product was actively exploited in the wild recently; Malwarebytes says it suffered a limited breach of an O365 tenant, while Mimecast has also admitted a breach.
Some 19,249 vulnerabilities and exposures (CVEs) were allocated in 2020 – over 52 every single day. Cybersecurity products are particularly compelling target for hackers. They're widely deployed and tend to have extensive privileges. While antivirus products et al have been breached several times in the past, the recent run of attacks suggests that they currently have a big target painted on them by advanced attackers.