Security researchers just released an alert about a new SonicWall zero-day vulnerability. NCC Group said that it detected active exploit attempts against the flaw and notified SonicWall.
SonicWall Zero-Day Exploited in the Wild
The firm has analyzed reports from their customers regarding the compromised SMA 100 series networking devices.
“In these cases, we have so far only observed the use of previously stolen credentials to log into the SMA devices,” the team said. The attacks are connected to the increased remote work during the pandemic, leading to “inappropriate access” attempts. The active exploitation also highlights the importance of enabling the MFA or End Point Control (EPC) features:
This further emphasizes the importance of enabling these features, not only on the SMA series, but across the entire enterprise as a generally recommended security practice. In the age of cloud services and remote work, credentials can be the key to the kingdom and attackers are keenly aware of this, the alert pointed out.
The amount of information surrounding the zero-day is limited. By not providing details about the vulnerability’s nature, the researchers hope to prevent further attacks by other threat actors.
NCC Group believes that the identified zero-day is the same used by an unknown attacker to obtain access to SonicWall’s internal network. The incident disclosed on January 23 impacted Secure Mobile Access gateways, used inside government and enterprise networks to give access to intranets to remote employees.
SonicWall will continue “to fully investigate this matter and share more information and guidance.” SonicWall will add further updates to the original alert, so if you are a customer, you should keep an eye on it. The company has also released an updated security best practices guide for the SMA 100 series devices. Instructions on how to enable MFA are also available.
The Many Risks of Remote Work
Remote work has become a focal point in many cyberattacks due to the current coronavirus pandemic. Another potential risk to companies is the improper use of RDP (Remote Desktop Protocol). “The Remote Desktop Protocol (RDP) is a common way for Windows users to remotely manage their workstation or server. However, it has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” Shodan researchers explained last year. Make sure to learn more about the risks of the Remote Desktop work.