In an urgent notice released on the evening of January 22nd, network security company SonicWall divulged a breach in their NetExtender VPN client and SMB-oriented SMA (Secure Mobile Access) 100 product.
This is a product typically employed by users who need to access internal resources safely from satellite locations. It’s important to note that this attack did not affect other SonicWall products — in particular, the similar Secure Mobile Access 1000 series.
According to industry experts who followed the story closely, it was initially hard to discern exactly what had occurred. Though SonicWall was adamant about being “transparent,” Paul Bush, Principal Consultant at OneSource Technology, Inc., said they first learned of the issue “on a Facebook post that was shared by someone in the industry [and linked] to a vague article by SonicWall … The initial details were a little vague … We chose to disable SSL-VPN remote access for all of our clients that use it.”
Basically, what happened was a breach of the company’s internal networks by what SonicWall called “highly sophisticated threat actors” who exploited a zero-day vulnerability.
SonicWall themselves had actually learned of the breach from a contact at SC Media, who had received an anonymous tip of the incident.
If you’re unfamiliar with zero-day vulnerabilities, these are essentially flaws in security software that don’t have a fix because the vendor doesn’t know they exist.
We spoke to several industry experts about the breach. SonicWall is doing everything they can to fix the issue and repair any collateral damage for themselves and their clients. However, a hack like this is naturally alarming for businesses everywhere who put their faith in network security companies like SonicWall.
Nick Allo at SemTech IT Solutions noted the lack of multiple layers of authentication with SonicWall: “For reasons like this, we continue to advise our clients to add multiple layers of authentication and minimize risk on a zero-trust basis. We require a 2FA also to access VPN connections and with Sophos the agent on the device talks to the firewall. Unfortunately, [this is] something that SonicWall does not have.”
Don Baham, President at Kraft Technology Group, LLC, noted two significant flaws in the way SonicWall was engineered and used: First, the lack of 2FA/MFA enforcement, and “second, it appears IT administrators have configured SonicWALL VPN appliances to allow administration over the public Internet, again with only a username and password protecting the session.”
Ilan Sredni of Palindrome Consulting, Inc. was not surprised by the attack: “Once again, another security product provider gets hacked. It seems like we are discussing the inevitable and therefore lets us know that all of these tools, no matter how much they are tested, are vulnerable … Because of situations like these, it is imperative that multiple layers of security end notifications are implemented in any environment, and that no one solution can be trusted.”
Michael Anderson, President & CEO at 365 Technologies Inc. had a similar takeaway: “The recent exploits at SonicWall and Solar Winds demonstrate that even that approach may not be enough as these tools are also vulnerable. They are also proof that even large, sophisticated, and well-resourced firms can be compromised … MSPs will need to ensure they have a layered defense in place across their clients to protect against single control failures.”
SonicWall has been updating their initial Friday night notice frequently.
According to Guy Baroan, President of Baroan Technologies, “Sonicwall has updated their information [and have] confirmed that at this time, NO ACTION IS REQUIRED FOR THE FOLLOWING:
What is STILL under investigation is SMA 100 Series devices. SonicWall has stated that NetExtender use for remote access is ALSO NOT affected and can be continued. SonicWall is advising administrators of these units to disable HTTPS administrative access from the Internet and to disable Virtual Office access as well until they have completed their investigation.”
All of these developments are alarming, and according to Ian Hansen of Philantech3, it’s evidence that the notion a VPN is the answer for all companies, no matter what, should be questioned:
“This incident … highlights the importance of determining whether a VPN, which essentially extends a connection to a remote location, is the most secure way for companies to allow remote access into their company data. Companies should look carefully at whether a VPN best suits their security needs because if remote endpoints are not secured but are connected to a corporate network through a VPN, then essentially that company is vulnerable to the weakness on that remote user’s end.”
For more information on the breach at SonicWall, check their Product Notifications page.