Posted on January 24, 2021 at 7:14 PM
Internet security provider of VPN and firewall products SonicWall has disclosed that its internal systems suffered coordinated attacks via zero-day vulnerabilities.
“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors,” the company said.
According to SonicWall, the attackers infected its Secure Mobile Access (SMA) and secure remote access products. The Silicon Valley-based company said those two breached products give users remote access to internal resources.
The attackers took advantage of a recently discovered software flaw on the remote access products. However, the security provider didn’t provide more information about the attack, adding that more information will be provided once it receives more details about the incident.
The news is coming after reports emerged that the internal systems of SonicWall went down on Tuesday. The report also revealed that the hackers gained access to the source code on the firm’s GitLab repository.
SonicWall has asked its customers and partners making use of the SMA 100 series to continue whitelist access directly on the SMA to remain safe. Alternatively, they can use a firewall only to give access to SSL-VPN connections to the SMA appliance.
SolarWinds breach spills over to other firms
The past few weeks have seen an unprecedented level of attacks on cybersecurity vendors. This will be the fifth security pure-play security provider that has publicly confirmed an attack on its system within the past seven weeks.
On December 8, FireEye security provider raised an alarm over the compromise of its system, which prompted other companies to beef up their security protocols. FireEye revealed at the time that its systems were compromised by hackers who want to gain access to the servers of some of its government customers.
The attacker succeeded in accessing some of FireEye’s internal systems. Since then, there have been reports of breaches that resulted from the initial breach of FireEye’s systems. The number of companies affected would have been worst of FireEye has not made the initial step to alert its customers and clients about its breach on time.
Two weeks after the FireEye breach, CrowdStrike disclosed that Microsoft’s Threat Intelligence Center contacted them, pointing out there is a reseller’s Microsoft Azure account making unauthorized requests on Microsoft’s cloud API.
However, the hackers did not succeed when they attempted to read the firm’s email, not knowing that CrodSrike does not use Office 356 email.
And on January 12, Mimecast revealed that its Mimecast-issued certificate has been compromised by a sophisticated threat actor. According to the revelation, the threat actor used the affected certificate to authenticate the company’s Internal Email Protect (IEP) products, Continuity Monitor, as well as Mimecast’s Sync and Recover protocols.
However, Mimecast didn’t indicate whether the attack was perpetrated by the same attack group responsible for the SolarWinds attack.
However, some cybersecurity officials revealed that it’s very likely that the same group responsible for the SolarWinds attack is still responsible for the attack on Mimecast.
Russian-state actors responsible for the attacks
The Washington Post reported earlier that the group responsible for the SolarWinds attack is no other than the Russian foreign intelligence service.
And in a recent report, cybersecurity firm Malwarebytes revealed that the SolarWinds hackers utilized a non-functional email production product in Office 365 for their attack. The product enabled the hackers to easily access certain internal company emails.
Although Malwarebytes does not use SolarWinds Orion or any of its products, the company said it learned about the breach from Microsoft after it intercepted suspicious activity on a 3rd-party application in the Office 265 tenant.
Organizations need to enable multi-factor authentication
SolarWinds’ supply chain breach has affected several companies, including Crowdstrike, Microsoft, and FireEye.
SonicWall said it has seen a “dramatic surge in cyberattacks on government and businesses,” the company also noted that the attack has been more prevalent among companies that provide critical security and infrastructure protocols for organizations.
SonicWall has also warned organizations that may be affected to disable NextExtender access to the firewall and enable multi-factor authentication to prevent any attack on their systems. They should also have a temporary restriction of access to admins and users for public IP addresses.