Cyber-security firm the NCC Group said on Sunday that it detected active exploitation attempts against a zero-day vulnerability in SonicWall networking devices.
Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
NCC researchers said they notified SonicWall of the bug and the attacks over the weekend.
The researchers believe they identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall’s own internal network in a security breach the company disclosed on January 23.
The January 23 zero-day impacted Secure Mobile Access (SMA) gateways, a type of networking device that is used inside government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall listed SMA 100 Series devices as impacted by the January 23 zero-day.
A SonicWall spokesperson did not return a request for comment to confirm if NCC researchers discovered the same zero-day or a new one.
Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we’ve also seen indication of indiscriminate use of an exploit in the wild – check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
Responding on Twitter to requests to share more details on the attack so security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the management interface of SonicWall devices to only IPs of authorized personnel.
They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.
Yes. It wouldn’t prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended
— Rich Warren (@buffaloverflow) January 31, 2021
