Cyber security firm NCC Group said on Sunday that it detected active exploitation attempts against a zero-day vulnerability in SonicWall network devices.
Details on the nature of the vulnerability have not been made public to prevent other threat actors from studying it and starting their own attacks.
“We saw it used by a single threat actor earlier in the week. We were just raising the honeypot at the time, so we didn’t get the full order,” Rich Warren, a security researcher at the NCC Group, said ZDNet.
“This led us to do some reverse engineering based on the request path and we found the bug that we believe the attacker was using.”
NCC researchers said that notified SonicWall’s bug and attacks over the weekend.
The researchers believe they have identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall’s own internal network in a security breach that the company disclosed on January 23.
January 23 had an impact Secure mobile access (SMA) gateways, a type of network device used within government and corporate networks to provide remote employees with access to intranet resources. SonicWall listed the SMA 100 series devices as affected by January 23.
A SonicWall spokesman did not return a request for comment to confirm whether NCC researchers discovered the same zero day or a new day.
Per @SonicWall notice – https://t.co/teeOvpwFMD – we identified and demonstrated the potential exploitation of a possible candidate for the vulnerability described and sent details to SonicWall – we also saw an indication of the indiscriminate use of an exploitation on the loose – check History
– NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
Responding on Twitter to requests to share more details about the attack so that security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the SonicWall device management interface to just IPs of authorized personnel.
They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.
Yes. This would not prevent the vulnerability from being exploited, but it would limit post-exploitation. In addition to MFA, as SonicWall recommended
– Rich Warren (@buffaloverflow) January 31, 2021