“‘highly sophisticated threat actors’ targeted its internal systems by ‘exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products’.” per ZDnet

Ouch! That has got to hurt. SonicWall is in the business of making equipment for security purposes. But as we’ve seen with the massive SolarWinds supply chain attack, everyone is a target, anyone can be compromised. FireEye, Microsoft, Cisco and Malwarebytes, advanced defenders, were all very worthy targets of an as-yet unconfirmed highly-resourced, highly capable adversary that took the time, did the recon and mapped their way right into the heart of their target, SolarWinds, to get to a whole lotta other targets. These included major government agencies for defense, justice, and the corporations that secure them, among a plethora of others. What we don’t know is the endgame in this cyberespionage master heist. SonicWall is one more organization who keep us safe and watch over our networks and data, making it a high value target for a nation-state adversary to consider using in a hypothetical well-crafted, patiently executed supply chain attack.

Reports are that earlier this week, the internal systems at SonicWall went down, and the attackers accessed source code on the corporate GitLab repository. In the past year we’ve seen increasing breaches involving source code found open and exposed in Cloud repos like Git, and attacks where databases or repos are accessed. There are past examples of supply chain attacks where tampered data and automated downloads – because trusted partners – led to very bad outcomes, NotPetya being top of mind. Breaches come with a lot of costs and consequences. And with everyone moving to Cloud, attackers are storing their mal-wares up there, for less detection and easy availability.

SonicWall has been quick to respond, as there are 0 patches for the 0-days at this time, issuing an Urgent Advisory today with mitigations you should definitely take for these products:

• NetExtender VPN client version 10.x, connecting to SMA 100 series appliances and firewalls
• Secure Mobile Access (SMA) version 10.x running on SMA physical appliances 200, 210, 400, 410 and the SMAv virtual appliance.

Want to read more? These are the articles I used:

• “SonicWall Hacked Using 0-Day Bugs in its Own VPN Product” Ravie Lakshmanan in The Hacker News
• “SonicWall says it was hacked using zero-days in its own products” Catalin CImpanu in ZDNet