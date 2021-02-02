



Network security provider SonicWall said Monday that it was exploiting a critical zero-day vulnerability in one of the firewalls sold by hackers.

SonicWall said in a recommendation updated Monday that the security flaw lies in the Secure Mobile Access 100 series. This vulnerability, which affects SMA 100 firmware version 10.x, will not receive a fix until the end of Tuesday.

The update on Monday took place the day after security firm NCC Group announced on Twitter that it had detected indiscriminate use of exploits. NCC’s tweet mentions an advisory for an earlier version of SonicWall, whose researchers have launched a coordinated attack on internal systems by advanced threat actors who exploit zero-day vulnerabilities in certain SonicWall secure remote access products. It states that it has been identified.

A spokeswoman for the NCC Group wrote in an email: Our team has observed signs of attempted exploitation of vulnerabilities affecting SonicWall SMA 100 Series devices. We are working closely with SonicWall to investigate this in more detail.

In an update on Monday, SonicWall representatives said the company’s engineering team confirmed that the NCC Group’s submission included a significant zero-day in the SMA100 Series 10.x code. The SonicWall is tracking as SNWLID-2021-0001.

With this disclosure, SonicWall has reported to at least the fifth largest company in recent weeks that it has been targeted by sophisticated hackers. Other companies include network management tool providers SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also reported that it was targeted, but said the attack was unsuccessful.

Neither SonicWall nor the NCC Group have stated that hacking, including SonicWall zero-days, is associated with larger SolarWinds hacking campaigns. However, there is widespread speculation that the two are related, based on the timing of the disclosure and some of its details.

The NCC Group refused to provide additional details before the zero-day was fixed to prevent further exploitation of the flaw.

If you use the SonicWalls SMA 100 series, you should carefully read the company advisory and follow the temporary instructions to protect your product before the fix is ​​released. Chief among them:

Enable MFA if you need to continue working with the SMA100 series appliance until a patch is available. This is a * important * step until the patch is available. 10. Reset user passwords for accounts that used the SMA100 series with X firmware If the SMA100 series (10.x) is behind a firewall, it will block all access to the SMA100 on the firewall. Shut down the SMA 100 series device (10.x) until the patch is available. Or, after rebooting the factory default settings, load firmware version 9.x. * Please back up your 10.x settings * Important Note: It is not supported to leave the settings and downgrade directly from firmware 10.x to 9.x. You must first reboot the device by factory default and then load the backed up 9.x configuration or reconfigure the SMA100 from scratch. If you choose to install the 9.x.SonicWall firewall and SMA1000 series appliances, and all their respective VPN clients, be sure to follow the multi-factor authentication (MFA) best practice security guidance. It is unaffected and can be used safely.

