Just disclosed on January 22: SonicWall, a US-based popular networking device and security hardware vendor, was hacked via a zero-day vulnerability in its very own VPN products. SonicWall has issued an urgent security advisory summarizing the affected devices and software and mitigation strategies for each. An investigation is underway and SonicWall is describing the incident as a “coordinated attack on its internal systems by highly sophisticated threat actors.” At the moment, this is the information we have:
- SMA 100 Series: The SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) remains under investigation for a vulnerability. However, we can issue the following guidance on deployment use cases:
- Current SMA 100 series customers may continue to safely use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation.
IMPORTANT: At this time, it is critical that organizations with active SMA 100 Series appliances take the following action:
- Enable two-faction authentication (2FA) on SMA 100 series appliances
- Please refer to the following knowledgebase article: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-time-based-one-time-password-totp-in-sma-100-series/180818071301745/
In addition to implementing 2FA, SMA 100 series administrators may also consider the following to further secure access to these devices:
- Enable Geo-IP/botnet filtering and create a policy blocking web traffic from countries that do not need to access your applications.
- See page 248 of the SMA 100 Series 10.2 Administration Guide
- Enable and configure End Point Control (EPC) to verify a user’s device before establishing a connection.
- See page 207 of the SMA 100 Series 10.2 Administration Guide
- Restrict access to the portal by enabling Scheduled Logins/Logoffs
- See page 117 of the SMA 100 Series 10.2 Administration Guide
At this time, SonicWall is still releasing details of the zero-day vulnerability and has asked their partners and customers to refer to their Knowledge Base for more information as it becomes available.
What Does This Mean to Our Partners?
VPN vulnerabilities continue to be a popular method for threat actors to gain initial access into an organization’s initial network. Once they have a foothold in the network, actors spread laterally, steal valuable data and credentials, and eventually deploy ransomware. SonicWall is a well-known manufacturer of hardware firewall devices, VPN gateways, and network security solutions. Their products are widely used across SMB, SME, and large enterprise organizations. They are the latest major cybersecurity vendor to disclose a cyberattack in the last three months, along with FireEye, Microsoft, and others.
Hacks are on the rise and especially so during the current pandemic. As more of the world’s workforce carry out their work from home, the chances of accidental lapses in security have increased. Ensure that you and your clients are following all cybersecurity best practices. MSPs and IT teams should educate and emphasize the importance of everyday IT hygiene. Common practices such as keeping all devices, apps, and software up to date, installing patches in a timely manner, requiring complex passwords and multi-factor authentication, and auditing user access are a fantastic start to preventing breaches.
How to Protect Yourself and Your Clients
Software cyberattacks are increasingly popular with threat actors and, unfortunately, sophisticated and hard to detect. With more significant government and corporate players coming under cyber assault, it is more important than ever to invest in a cybersecurity solution that will work for you 24/7/365. Blackpoint’s true Managed Detection & Response (MDR) team works around-the-clock to actively hunt even the most advanced threats and provides rapid responses to any compromise. Contact us to safeguard your business today.