What do we know about the SonicWall attack right now?

March 8, 2021

6 min read

Dale Shulmistra

Business Continuity Specialist @ Invenio IT
SonicWall attack

What do we know about the SonicWall attack right now?

by Mar 8, 2021Security

A new cybersecurity incident rocked the IT industry in January when SonicWall, a cybersecurity company, was successfully compromised via a zero-day flaw. SonicWall confirmed in a statement that it was the victim of a coordinated attack on its internal systems by “highly sophisticated” threat actors that targeted its SMA 100 Series product line.

The SonicWall attack is the latest in a series of high-profile hacks aimed at technology companies. In late December it emerged that SolarWinds was the victim of a supply chain attack that created a significant ripple effect for its wide range of customers. Numerous organizations, from Microsoft to several U.S. federal agencies, were affected. It is widely believed that Russian state-sponsored actors initiated the attack and that China hackers subsequently may have also exploited SolarWinds’ vulnerability.

At this time, it’s not clear if the SonicWall attack is related to the SolarWinds attack, but here’s what we do know so far:

Who is SonicWall?

SonicWall is a Silicon-Valley-based cybersecurity company that debuted in 1991 under the name “Sonic Systems.”

Over the years the company has changed ownership several times and adapted its offerings as technology markets changed. Acquired by Dell in 2012, the company was sold in 2016 and is currently backed by private equity firms, Francisco Partners and Elliott Management. Today SonicWall is a developer of firewalls, VPNs, networking devices and other cybersecurity products.

When did the SonicWall attack occur?

The company disclosed on January 22, 2021, that it had been compromised, but did not reveal when it discovered the intrusion, only describing the timeframe as “recently,” according to CRN.

The hack compromised SonicWall’s Secure Mobile Access (SMA) 100 Series devices, which are designed to provide secure remote access to corporate networks. Affected devices included the SMA 200, 210, 400, 410 physical appliances, and the SMA 500v virtual appliance. To date, forensic experts have not found any evidence in their investigation that SonicWall’s source code has been “modified or otherwise compromised,” the tech company said in its public statement.

What SonicWall vulnerability was exploited?

The hack exploited via a zero-day flaw, which is a situation not to take lightly, as we explain below. A SonicWall company spokesperson stated that a few thousand devices were impacted by the hack. The company said in a statement that its priority in response to the attack was to identify, resolve and provide alerts regarding potential product vulnerabilities that could impact its customers. The company also said it was committed to transparency as it worked through the investigation.

What is a zero-day attack?

A zero-day attack is essentially a vulnerability for which no patch exists because the threat hasn’t been discovered yet or, if it has, has not been disclosed publicly (this is often the case if the creators are quietly working on a fix to deploy). In many cases, the zero-day vulnerability is discovered as a result of an attack.

Typically, when vulnerabilities are discovered in software or hardware, the user who detects it reports it to the developer company to give them a chance to build a fix for the vulnerability. Occasionally, they’ll take it to the internet to warn others as well. However, in zero-day flaws, the threat actors either discover or detect the flaw early on, and quickly move to write and insert malicious code in order to exploit the weakness(es). As a result, they commit a rapid attack.

Panda Security equates zero-day attacks to “the cyber equivalent of COVID-19.” Zero-day flaws are rarely detected immediately and anti-virus software can’t detect them, yet threat actors are very quick to act on them once discovered, and the ripple effects can spread rapidly.

“Consequently, if [the zero-day flaw] spread across a social network with say, 2 billion users, a virus with a high reproductive rate would take no more than five days to infect more than a billion devices. Yet most worryingly, there are still no patches or antivirus that can counter this type of attack,” Panda Security said in a blog post.

What about SonicWall’s other products?

It is not believed at this time that any other SonicWall products were impacted by the recent hack. SonicWall products that are said not to be affected include SonicWall Firewalls, NetExtender VPN Client, SMA 1000 Series and SonicWave Access Points.

Products affected by SonicWall attack are concerning

The products hackers targeted in this cybersecurity event are significant because they provide users with remote access to internal resources. During the COVID-19 pandemic, this is a capability that has remained in high demand. Attackers finding bugs in these types of tools can lead to disastrous results for affected organizations because of the sensitive areas of business they are able to access.

At this point, it is not quite clear who initiated this attack and what the attacker’s motives were for doing so. Those details are sparse at this point, but some information has surfaced that indicates the hack was intentional with the threat actor aiming to make a quick and lucrative profit.

Was SonicWall targeted by extortionists?

SonicWall has not said much about the extent of damage caused by the event, but widely circulated media reports in February suggested the company may have been targeted by extortionists. Reportedly, SonicWall has declined to answer specific questions, including whether it paid a ransom. The report also said a cybersecurity researcher discovered evidence on a well-known Russian cybercriminal forum on the “dark web,” by a user named “SailorMorgan32.”

SailorMorgan32’s postings are said to have advertised data for sale “purportedly stolen from SonicWall,” equating to several terabytes of data, including three terabytes of source code. Two hours after being noticed, the posts were taken down. An industry source, who preferred to remain anonymous, said SonicWall paid SailorMorgan32 about $5 million and then the cybercriminal went on vacation. It’s entirely possible, however, SailorMorgan32 also was making false claims online to boast. At this point, no one knows for sure what happened or if the claims of SonicWall being extorted have any basis.

How did SonicWall respond to the breach?

SonicWall responded to the cybersecurity event by notifying the impacted parties, along with regulators. The company also had third-party code reviews conducted to supplement its standard code audits and this was integrated into the patches released to customers.

“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall said in its alert.

The first critical patch for the SMA 100 Series product line was released by SonicWall on February 3, and the company subsequently deployed another patch update on February 19 with “additional code-hardening.” The latter update also included a “rollup of customer issue fixes” that were excluded in the February 3 patch.

At this time SonicWall “strongly encourages” customers to upgrade to the latest SMA 100 Series firmware and for them to enable multifactor authentication (MFA) on “all” SonicWall products, along with products from other vendors.

Companies need to be vigilant

If there is anything we’ve learned in the current short span of 2021, it’s that all organizations, large and small, need to be more vigilant than ever when it comes to protecting their internal data, equipment and networks. Threat actors have, within the last year, made several significant cybersecurity headlines affecting businesses. In 2020, global losses from cybercrime exceeded a whopping $1 trillion, more than a 50% increase over 2018.

According to Security Magazine, the top biggest cybersecurity threats businesses face include social engineering, ransomware, DDoS attacks, third-party software and cloud computing vulnerabilities. Any of these types of incidents could result in extended (and costly!) downtime, damage to a company’s brand reputation and expensive costs associated with a breach – many of which SMBs cannot afford and may not survive if they are victims of a significant attack.

If the recent breaches on SolarWinds, SonicWall and other major players are any indicator, businesses may be in for a rocky year. A report published by McAfee found that 56% of surveyed organizations said they do not have a plan to “both prevent and respond to a cyber incident.”

As companies continue to largely operate remotely, many will need to revisit their business continuity and cybersecurity strategies and bolster them to better protect their digital assets.

Data protection is critical

Threat actors don’t just target large corporations. A growing number of them actively target small and medium-sized businesses, knowing that many do not have a robust security strategy in place.

Taking preventative steps can go a long way towards identifying any vulnerabilities your company faces and circumventing an intrusion. Even with robust network protection and malware solutions deployed, one of the most critical layers of protection remains data backup. So that if any data is compromised or destroyed during a breach (whether by ransomware or other forms of malware), organizations can quickly restore it from backups to maintain their critical operations.

Get more information

Learn more about protecting your organization from cyberattacks and other threats with BC/DR solutions from Invenio IT. Request a free demo or get in touch with our experts for more information. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Business Continuity Specialist @ Invenio IT