The security vendor is investigating potential zero-day vulnerabilities in its Secure Mobile Access (SMA) 100 series.

SonicWall is investigating “probable” zero-day flaws in its remote access security products that have been targeted by “highly-sophisticated” attackers. The company says it is investigating the attack and will update customers within 24 hours.

The security company said it is currently investigating its Secure Mobile Access (SMA) 100 series hardware for potential vulnerabilities linked to a reported cyberattack. SMA 100 is a gateway for small- and medium-sized businesses that lets authorized users access resources remotely. SMA 100 also gives system administrators visibility into remote devices that are connecting to the corporate network – and grants endpoints access based on corporate policies.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” according to SonicWall, which first alerted the public of the attack on Friday evening.
, SonicWall Breach Stems from ‘Probable’ Zero-Days
SonicWall said current SMA 100 series customers may continue to use NetExtender for remote access with the SMA 100 series, as it has determined that this use case is not susceptible to exploitation. NetExtender is SonicWall’s VPN client for Windows and Linux, and allows customers to connect to SMA 100 for secure access to their company’s network.

However, “we advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability,” according to SonicWall.

Organizations that utilize SMA 100 series products should also use a firewall to only allow SSL-VPN connections to the SMA appliance from known or whitelisted IPs or configure whitelist access on the SMA directly itself, SonicWall recommends.

Not affected by the hack are SonicWall’s lineup of firewall products, the company’s SMA 1000 series, SonicWall SonicWave access points (APs) and the NetExtender VPN client. Initially, in its Friday disclosure SonicWall had identified the NetExtender 10.X VPN client as potentially being targeted by attackers – however, the company said that has now been ruled out.

“[NetExtender] may be used with all SonicWall products,” according to the company. “No action is required from customers or partners.”

Further information about the cyberattack itself is not available at this time; when asked by Threatpost for further comment a SonicWall spokesperson said the only information it will currently divulge is within its security alert. On Monday, SonicWall said on Twitter said that it will provide another update on the attack “within 24 hours” and is “committed to transparency during our ongoing investigations.”

SonicWall said it has recently tracked a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations. The recent cyberattack also comes during a surge in remote workforces due to the COVID-19 pandemic. The presence of vulnerabilities in remote access products gives attackers the abilities to tap into the increased number of remote employees.

In October 2020, SonicWall disclosed a critical security bug in its SonicWall VPN portal that can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said. And in 2018, researchers discovered variants of the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in SonicWall.