Cyber security firm the NCC Group said on Sunday it has detected active exploitation attempts against a zero-day vulnerability in SonicWall network equipment.
Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
NCC researchers said they did notified SonicWall from the bug and the weekend attacks.
The researchers believe they identified the same zero-day vulnerability that a mysterious threat actor used to access SonicWall’s own internal network during a security breach that the company revealed on Jan. 23.
The zero day of January 23 had an impact Secure Mobile Access (SMAgateways, a type of network device used within government and corporate networks to provide remote workers with access to resources on intranets. SonicWall listed SMA 100 Series devices as affected by the January 23 zero day.
A SonicWall spokesperson did not return a request for comment to confirm whether NCC investigators discovered the same zero-day or a new one.
According to the @SonicWall advisory – https://t.co/teeOvpwFMD – we identified and demonstrated the exploitability of a potential candidate for the described vulnerability and sent details to SonicWall – we also saw evidence of random use of an exploit in the wild – check logs
– NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
The NCC team responded on Twitter to requests to share more details about the attack so security experts could protect their customers, and advised device owners to limit which IP addresses can access the management interface of SonicWall devices to only IPs from authorized personnel.
They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.
Yes. It wouldn’t prevent the vulnerability from being exploited, but it would limit post-exploitation. Besides MFA like SonicWall have recommended
– Rich Warren (@buffaloverflow) January 31, 2021