A SonicWall SMA 100 zero-day vulnerability is being actively exploited in the wild, according to a tweet by cybersecurity firm NCC Group.
On January 22nd, SonicWall disclosed that they suffered an attack on their internal systems using a “probable” zero-day vulnerability in specific SonicWall networking devices.
While SonicWall investigates the vulnerability and has not provided many details, they state that it likely affects their SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) line of remote access appliances.
As mitigation against the attack, SonicWall states that administrators need to enable multi-factor authentication (MFA) on the devices and recommend setting up IP address restrictions to the management interface.
SonicWall vulnerability activity exploited in the wild
Over the weekend, cybersecurity firm NCC Group tweeted that they have detected an exploit against SonicWall SMA 100 devices being used indiscriminately in the wild.
“Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth,” the NCC Group told an organization.
It is not clear if this exploit is for the same vulnerability recently disclosed by SonicWall but believes it could be a possible candidate.
While NCC Group does not want to provide details of the exploit to prevent further misuse, they suggest administrators monitor their devices’ access logs for unusual IP addresses trying to access the management interface.
Richard Warren, a principal security consultant at NCC Group, also shared that limiting access to the SonicWall management interface would prevent the threat actors from performing post-exploitation attacks.
“Yes. It wouldn’t prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended,” tweeted Warren.
For admins of SonicWall devices, it is recommended that MFA be enabled on devices, and even more importantly, restrict access to the management interface to only specific whitelisted IP addresses.