The cyber security firm, the NCC Group, said on Sunday it was detecting active exploitation efforts against a zero-day vulnerability in SonicWall network devices.
Details about the nature of the vulnerability were not disclosed to prevent other threat actors from studying it and launching their own attacks.
“We saw it used by a single threat actor earlier in the week. We only got up the honey pot at the time so we did not get the full request,” Ryk Warren, a safety researcher for the NCC Group, tells ZDNet.
“This led us to do reverse engineering based on the request path, and we found the error that we believe the attacker was using.”
NCC researchers said they informed SonicWall of the bug and the attacks over the weekend.
The researchers believe they have identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall’s own internal network in a security breach the company announced on January 23.
The zero day of January 23 affects Secure Mobile Access (SMAgateways, a type of networking device used within government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall has listed SMA 100 series devices as affected by the January 23 zero day.
A SonicWall spokesman did not return a request for comment to confirm whether NCC researchers discovered the same zero day or a new day.
Per die @SonicWall advice – https://t.co/teeOvpwFMD – we described and demonstrated the vulnerability of a potential candidate for vulnerability and sent information to SonicWall – we also saw an indication of indiscriminate use of exploitation in the wild logs
NCC Group Research & Technology (@NCCGroupInfosec) 31 January 2021
The NCC team responded on Twitter to requests to share more details about the attack so that security experts can protect their customers, and recommend that device owners restrict which IP addresses have access to the management interface of SonicWall devices to only authorized personnel IPs .
They also recommend enabling multifactor authentication (MFA) support for SonicWall device accounts.
Yes. This will not prevent the vulnerability from being exploited, but post-exploitation will be limited. In addition to MFA as SonicWall recommends
– Rich Warren (@buffaloverflow) 31 January 2021
Article was updated at 08:00 ET with comments from Warren.