Cyber Incident Victim: SonicWall

On January 23, 2021, SonicWall disclosed a security breach involving unauthorized access to its internal systems. The company described the incident as a "coordinated attack" by "highly sophisticated threat actors" who exploited probable zero-day vulnerabilities in certain SonicWall secure remote access products. Initial investigations implicated both NetExtender VPN clients and Secure Mobile Access (SMA) gateways as compromised entry points. However, within hours, SonicWall revised its assessment, narrowing the scope to SMA 100 series appliances as the sole products under active investigation for containing zero-day vulnerabilities. No patches were available for these vulnerabilities at the time of disclosure. The breach marked SonicWall as the fourth cybersecurity vendor to report a security incident within two months, following FireEye, Microsoft, and Malwarebytes—all of which had been compromised during the SolarWinds supply chain attack. Cisco and CrowdStrike had also been targeted in the SolarWinds campaign, though CrowdStrike reported unsuccessful intrusion attempts.

SonicWall responded by publishing mitigations in its knowledgebase to protect customer networks. These included deploying firewalls to restrict access to SMA devices, disabling NetExtender VPN client connectivity to firewalls, and enforcing two-factor authentication for administrative accounts. The company did not disclose the extent of internal network compromise or whether customer data was exfiltrated. Its advisory emphasized the ongoing nature of the investigation while urging customers to implement interim safeguards. The incident highlighted recurring targeting of security infrastructure providers, with SonicWall’s breach occurring amid a wave of high-profile attacks against vendors central to enterprise network defenses. No attribution or motive for the attack was provided in the disclosure.