Researchers Spot SonicWall Exploit in the Wild

Security researchers believe that they’ve observed attacks in the wild exploiting a recently discovered SonicWall vulnerability.

The technical Twitter account for global information assurance firm NCC Group posted yesterday referencing the original SonicWall advisory.

“We’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we've also seen indication of indiscriminate use of an exploit in the wild – check logs,” it urged.

Followers of the account probed for more details, but NCC Group was careful not to disclose too much to potential cyber-criminals monitoring the situation.

It explained that monitoring logs for “source IPs hitting management interfaces you would not expect” would be a good place to start in trying to weed out the threat.

The news comes as SonicWall continued to update its customers on the status of the incident.

It noted on Friday that the presence of the zero-day in its SMA 100 series products remains unconfirmed. The security vendor first observed attacks on the secure remote access products “exploiting probable zero-day vulnerabilities,” when sophisticated threat actors targeted its own internal systems.

The update late last week claimed that some customer reports of potentially compromised SMA 100 series devices were actually the result of attackers using previously breached credentials.

“The SMA appliance, due to its nature and due to prevalence of remote work during the pandemic, effectively acts as a ‘canary’ to raising an alert about inappropriate access. These specific cases came to light through, and were mitigated by, MFA or End Point Control (EPC),” it said.

“This further emphasizes the importance of enabling these features, not only on the SMA series, but across the entire enterprise as a generally recommended security practice.  In the age of cloud services and remote work, credentials can be the key to the kingdom and attackers are keenly aware of this.”

SonicWall also clarified that although some recent social media posts have shared PoC exploit code and screenshots of allegedly compromised devices, this code is not effective against firmware updates released after a 2015 patch.

UPDATE: As of Wednesday, SonicWall had issued a patch for the affected products.

What’s Hot on Infosecurity Magazine?