SonicWall Zero-Day

Hackers are exploiting a zero-day in SonicWall:

In an email, an NCC Group spokeswoman wrote: “Our team has observed signs of an attempted exploitation of a vulnerabilitythat affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth.”

In Monday’s update, SonicWall representatives said the company’s engineering team confirmed that the submission by NCC Group included a “critical zero-day” in the SMA 100 series 10.x code. SonicWall is tracking it as SNWLID-2021-0001. The SMA 100 series is a line of secure remote access appliances.

The disclosure makes SonicWall at least the fifth large company to report in recent weeks that it was targeted by sophisticated hackers. Other companies include network management tool provider SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also reported being targeted but said the attack wasn’t successful.

Neither SonicWall nor NCC Group said that the hack involving the SonicWall zero-day was linked to the larger hack campaign involving SolarWinds. Based on the timing of the disclosure and some of the details in it, however, there is widespread speculation that the two are connected.

The speculation is just that — speculation. I have no opinion in the matter. This could easily be part of the SolarWinds campaign, which targeted other security companies. But there are a lot of “highly sophisticated threat actors” — that’s how NCC Group described them — out there, and this could easily be a coincidence.

Were I working for a national intelligence organization, I would try to disguise my operations as being part of the SolarWinds attack.

EDITED TO ADD (2/9): SonicWall has patched the vulnerability.

Posted on February 8, 2021 at 12:11 PM8 Comments

Comments

wumpus February 8, 2021 1:31 PM

I suspect that every other “highly sophisticated threat actors” is likely to spring their attacks before some of the needed doors shut after the solar winds investigations.

Clive Robinson February 8, 2021 4:15 PM

@ Bruce, ALL,

The speculation is just that — speculation.

As many will nodoubt know by know that’s kind of my default position with all such things. And I have no opinion other than opinions without strong evidence are not even worth the breath it takes to utter them.

One of the biggest failings of all investigations is “preconceptions”. They are in reality “An idiots hunch”. Which almost always “Take you down twisty little passages to no end”.

There is a reason why the statue of “justice” on the Old Baily in London wears a blind fold, has scales in one hand and a sword in the other. The blindfold is to tell you “NO preconceptions”, the scales are to “MEASURE evidence” and the sword is to remind people to “CUT AWAY all falsehood”[1].

So my first question after “Where is the evidence?”, is “What, where and how/who of the evidence gathering?”. If and only if that passes muster and it very very rarely does with ICTsec SigInt due to how easy it is to fake, it’s followed by “What weight does the evidence have?”. Then I consider is it something “To be kept or cut away?”.

Most ICTsec evidence is highly dubious and easy to fake SigInt that is to often a hunch or notion at best and fails the “Two Source” of Intel gathering, let alone the burden of proof required for a criminal case. It’s become a mantra but non the less true,

Atribution is hard, impossidly hard to often.

Whilst in the tangible physical world forensic evidence is rated highly, and human evidence rightly treated with suspicion… not so in the intangible information world. Where correctly evaluated HumInt is “The gold standard” and what passes for “information forensics” often not worth the paper you note it down on[2].

But that is all by the by, what most peoole have not considered, but realy should is,

Is this more than coincidence? Is there causation?

Personally I think the answer to both is probably “YES” and the root of the causation is COVID.

Put simply whilst remote working/access was “a thing” prior to COVID lock downs, it was “to small market” to show “a decent ROI” for fire&forget type malware deployers. But since COVID lockdowns, “home working” has become a major if not predominant way of working. As with many things in life “home working” was done in a rush and by people with insufficient experience, often at the lowest possible quality (which often is not at the lowest possible price, but by what people think they can screw out of the market as demand easily exceaded supply).

Some may disagree with this “causation” view point, but to say “coincidence” also requires evidence, in which case please present it so it can be rationally discussed.

[1] Some will say that the sword is to “mete out justice” but it does not fit with the blindfold and scales. Mind you “mete” actually means “to measure” as in “dolling out” where everybody gets “equal measure for equall cause”. Something that appears forgotton in the modern world of “show trials” and “kangaroo courts” and “plea bargaining”.

[2] I’ve demonstrated this before and why, as well as show it’s impossible to do anything about it in more cases than most would care to admit (under the Upton Sinclair principle). And by impossible I do mean in the scientific and mathmatical sense, from before the time of electronic computers(1930’s) and autonomously networking them together(1960’s)

SpaceLifeForm February 8, 2021 6:05 PM

@ –

One that has been here trolling for hits and/or seo, well, he is on the second page of the ars article comments.

Currently, the last comment. Posted 3 days after prior comment.

Patriot February 9, 2021 9:26 AM

Well, a global pandemic is the perfect time to try and sneak in. Holidays, bad weather…

How should we describe what is going on between big nations right now? It is like a war, isn’t it?

When do we admit that we are at war? After we have lost?

Cassandra February 12, 2021 10:15 AM

@Clive Robinson

I hate to catch you out, Clive, but the statue that depicts the personification/reification of ‘Justice’ on top of the Old Bailey does not wear a blindfold. The original Roman depictions of Justitia didn’t either. The earliest attestation of a statue of Justitia having a blindfold is in the 16th century.

hxxps://en.wikipedia.org/wiki/Lady_Justice#Blindfold

The lack of the blindfold on that particular statue could be the basis of a good pub quiz question.

Meanwhile, I hope you are planning on playing with a Rydberg receiver:

hxxps://www.rtl-sdr.com/army-builds-wideband-dc-to-20-ghz-quantum-receiver/

Cassandra

Clive Robinson February 12, 2021 6:15 PM

@ Cassandra,

the statue that depicts the personification / reification of ‘Justice’ on top of the Old Bailey does not wear a blindfold

Now you come to mention it, yes it’s true… But you might not like the reason why…

How do I put it “tactfully”…

Let’s say she is assumed to be “The most elderly of ‘old maids’ in London” due to the prudery of the times. She is assumed to not be swayed or influenced because of her “virtue” thus “she does no evil”…

As for the “Rydberg Effect” receiver, the idea is not exactly new… Rydberg atoms and how they behave in E and H fields has been investigated since the 1940’s. There are several teams working on the problems and practical Rydberg sensors in the UK,

https://eqop.phys.strath.ac.uk/rydberg-quantum-devices/

http://etheses.dur.ac.uk/12385/

In principle the idea is simple enough for most to grasp, however as always the devil is in the details…

However one aspect of the “Rydberg Effect” is noise or the lack there of, along with the fact that it alows direct measurments without intermediary steps.

In the field of metrology (science of measurment) one of the down sides is that the instruments you measure with are neither inherantly accurate or stable. They also have biases and nonlinearities and noise occures in each and every point where “work is done” so the use of any transducer including the humble resistor that converts the movment of electrons into IR radiation (heat).

Thus the “Rydberg Effect” strips out many such intermediary noise networks we currently have to contend with.

Any way if not for the fact it’s also potentially a good way to read QBits in quantum computing the Rydberg Effect would be a quiet backwater of research 😉

Cassandra February 13, 2021 6:26 AM

@Clive Robinson

So Justitia, as depicted on the top of the Old Bailey, would be able to capture a unicorn. She has the ‘innocence’ of childhood. uncorrupted by the evils of this world, and so able to be even handed in her dispensation of justice.

Sigh. Its nice to understand the allegory, but it does illustrate the ‘magical thinking’ that continues to be a problem. The process of the Enlightenment and rationalist thinking is by no means over.

On a more security-related topic, it strikes me that the water-treatment plant problem, and others, demonstrate a few things:

1) Humans are fallible. They can be guaranteed to make mistakes.
2) Systems that do not take (1) into account will fail. Sometimes badly.
3) Defence in depth is a Really Good Idea, avoiding the hard shell-soft centre problem.

With regard to (3) the water treatment plant issue did not turn into a major problem because there were independent backup systems to assure water quality. The same should apply to any defensive posture. There are people who think it is OK to have ‘the Internet’, the DMZ, and the internal network as VLANs on the same hardware switch. It gets even worse with software defined networking – but convenience and cheapness are powerful inducements to a lack of security. There is a lot of magical and muddled thinking in the world of security, often encouraged by those who would take advantage of it.

I envy you your duck eggs, and duck and goat meat. I miss the goat curry rotis from the Uxbridge Road near Shepherd’s Bush. Sigh, again. I hope you are doing OK, even with the continuing lockdown.

Cassie

Clive Robinson February 13, 2021 2:23 PM

@ Cassandra,

The process of the Enlightenment and rationalist thinking is by no means over.

True, but everyone needs a little magic in their lives every so often, and I’m guessing there’s more than a few hopefulls knocking at the door of Faunus’ Temple for the three day early spring festival of “agricultural germination”. But if menory serves correctly it was also the time for singles to find a mate or spouse depending on when in history you look. Originally the boys selected girls names but later the Girls selected boys names and quite literally “wore their love on their sleeve, or atleast his name for a week. Thus its unlikely that Justitia would have retained her innocence if not for godly protection. It’s only in the last half millenium or so that it’s become for couples and getting on for a century and a half since Joseph Cadbury’s son Richard started the idea of choclates as gifts…

But to the more serious side of things,

it strikes me that the water-treatment plant problem, and others, demonstrate a few things:

Yes… However 2 is appropriately a double edged sword. Up untill now if you automated anything but the simplest of things you were asking for trouble, via “predictability” which is where most physical securiry falls flat on it’s face with the most gentle of nudges from humans not even intending to harm the system. The more complex a system and the more predictable the response in general the more fragile it is to unintended input or exceptions at it’s outputs.

Thus you have a dilemma of “Who watches the watchers” or in this case who minds the machines and what do people realy expect to get out of them…

Look at it this way if you can train a person to do a job, you should be able to replace them with a machine… But if you can not why not? What is it you expect a human to do that would be different… Also remember humans have a terible issue, which is “train to gain” if you do not put humans through continuous testing either by doing the job or in simulators then they very quickly loose their edge. Think about the statment about “24hours after an exam the student only knows 24% of what they did before the exam” or what ever it realy is. The undeniable issue is humans realy “learn by doing” or more politely “experience”.

Thus you have an issue take the experience away the humans go stale. Thus what accountants hope is that as machines take over from humans, they can manage ten or a hundred times more machines than they could before. Thus they get their experience by having a higher probability of seeing a machine go wrong…

Unfortunatly, this has an underlying fault in the reasoning… Which is the “probability distribution”. The assumption is it will be random but basically flat, the same as it is for many natural unconnected events such as fires.

But fires rarely work together they tend to be independent thus fall very roughly to a known probability curve. Which makes things reasonably predictable. Unfortunatly ICTsec related things tend very much to be dependent… Over the years it’s become clear that things that are dependent thus show up as spikes in the probability do tend to be disbared by insurance companies as “acts of XXX” be it God, War or what ever they can ge away with.

The point is whilst a single person could oversee one or two sites going wrong at the same time, can they do it for ten, a hundred, or a thousand sites all going “Pete Tong” at the same time? The simple answer is “unlikely” with various adverbs preceading it upto “infinitely”.

If we look at “cyber attacks” they come in three basic flavours,

1, unplaned / experimental.
2, Planed but targeted.
3, Planed but untargeted.

The first happens often quite randomly, but can result as a part of finding, or a response to the finding of a zero day. Or sometimes as a result of a zero day becoming “known” in one way or another and exploit code being developed.

When a zero day becomes known, if it gets developed into exploit code. The means and motives of those doing the development decide if it’s used for 2 or 3.

Increasingly 2 and 3 are being merged together to give,

4, Planed and widespread.

This is what Russia has been accused of doing to various of the old CCCP cold war territories. The problem is as often as not the attacks do not come from Russia but other of these old CCCP Soviet Block states. Or even from within the state it’s self (as I’ve been known to say “attribution is hard” with the odd adverb thrown in for good measure).

But lets take things a little further the US “irrational actor” response to Russia developing nuclear weapons was MAD. Whilst sounding good in a two player game it falls totaly appart when there are other parties playing along out of sight. Thus all stratagies should be for a multiple unknown opponent game, and not be a default “blow up all players on our little list” or just “blow the planet up”…

As mentioned before attribution is hard, one reason for this if “false flag” operations even unintentional ones are just to easy to do. What do I mean by unintentional? Well just simply trying to hide who is attacking, may have no intent on others being blaimed. The problem is that those attacked will make assumptions about who and are very likely to get it wrong. For instance the US has done this a couple of times, and you would think they would learn from it… To see how this hiding can become an unintentional blaiming of others think back to Ed Snowden, he was just hiding his activities not intending for others to be blaimed, which is part of the reason he first went on the run, then released the trove of information and realising what would happen went public.

But lets assume I am happy with others getting the blaim, in fact that is my plan, what is the easiest way to go about it?

Well the simplest way is to put in place payloads that are “time bombs with dead mens switches”. We are starting to see this thinking with ransom ware and I’m sure higher level actors have probably put such things in place.

After all the photos of the NSA “chop shop” intercepting the supply chain and putting in custom hardware/firmware that cannot be easily found or exorcised is just one way.

I suspect that some one worked out what the likely result wouls be of then President Obama’s “Big Red Button” to turn the Internet off would end up doing. Let’s put it this way it’s not exactly something difficult to work out I suspect most children of moderate intelligence in the 10-12 year age range could work it out.

But back to one of my more favourite activities, the enjoyment of life in part through food and good company,

I miss the goat curry rotis from the Uxbridge Road near Shepherd’s Bush.

Part of my stamping ground back in the late 1970’s through 1980’s when I was young and into Pirate Radio…

The area has unfortunately changed in many ways, and become more large business friendly, not mom-n-pop friendly 🙁 If you can remember the area from back then this Music Vid from Chris Rea, might bring a tear to the eye. The tower blocks you see in it were ones we used to but an FM station out from, and the views are Westway rather than the Uxbridge road to it’s south. But hey, it’s kind of lucky there is any video of the area,

https://m.youtube.com/watch?v=abZlWqVeLzg

However I also wore the green, and there was a young lady I was rather fond of, and it was this Chris Rea song, that got us together in a NAFI surounded by around 200 others all there for a major shooting competition. We were between events and playing a game of pool against two guys from another regiment. Somebody put the record on the jukebox and the then very popular beat started to much foot taping and similar. As I played a shot I swaggered around in time to the music just for the fun of it, and to my suprise she turned to me and sang the chorus, and grabed my hand, so we did dance whilst others thumped their pool ques on the floor along with cat calls, whistles and other encoragment.

https://m.youtube.com/watch?v=JsfQnmrUS9A

Happy days and fond memories, OK NAFI food is not the greatest but good company can lift the occasion.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.