SonicWall Reports Malicious NetExtender Client Exploit
SonicWall has issued a critical advisory alerting customers to a malicious version of its SSL VPN NetExtender application, which is being exploited to steal VPN configurations and credentials. The company has identified that threat actors have altered two key files within the application, widely used by organizations for secure remote access. In response, both SonicWall and Microsoft have implemented measures to prevent the distribution of these compromised versions.
Malicious Version Identified
Earlier this week, SonicWall, in collaboration with Microsoft Threat Intelligence (MSTIC), discovered a modified version of the NetExtender SSL VPN application. This malicious variant was found hosted on a website that enabled users to download a trojanized release of the application, specifically version 10.3.2.27. The threat actors managed to digitally sign this altered version, allowing it to bypass security checks on Windows systems. The digital certificate used for this purpose was issued to “CITYLIGHT MEDIA Private LIMITED,” raising concerns about the security of digital signatures.
If users inadvertently downloaded this counterfeit version of the SonicWall NetExtender VPN app, they would unknowingly install two modified applications: “NeService.exe” and “NetExtender.exe.” The alterations made to NeService.exe enabled the threat actors to circumvent the digital certificate checks that occur when the application is launched. Meanwhile, the modified NetExtender.exe was designed to gather sensitive information about the user’s VPN configuration, including usernames, passwords, and domain details. This data would be transmitted to a remote server once the user clicked the “Connect” button.
Response from SonicWall and Microsoft
In light of this security breach, SonicWall has updated its malware detection tools to automatically block the malicious software, which has been identified as GAV: Fake-NetExtender (Trojan). Additionally, Microsoft’s Windows Defender software has been programmed to detect the trojanized version of the application, categorized as “SilentRoute” Trojan (TrojanSpy:Win32/SilentRoute.A). These proactive measures aim to protect users from potential data theft and ensure the integrity of their VPN connections.
Furthermore, the digital certificate that was exploited to sign the malicious installer has been revoked. SonicWall and Microsoft have collaborated to dismantle the websites that were impersonating the legitimate NetExtender VPN application. These actions are part of a broader effort to safeguard users from falling victim to such cyber threats.
Recommendations for Users
SonicWall has strongly advised users to download the NetExtender application exclusively from its official website, steering clear of third-party sources that may host compromised versions. This recommendation is crucial for maintaining the security of VPN configurations and protecting sensitive user information. By following these guidelines, users can significantly reduce the risk of encountering malicious software that could jeopardize their network security.
As cyber threats continue to evolve, it is essential for organizations and individuals alike to remain vigilant and informed about potential vulnerabilities. Regular updates and adherence to security best practices can help mitigate risks associated with using remote access applications.
Observer Voice is the one stop site for National, International news, Sports, Editorโs Choice, Art/culture contents, Quotes and much more. We also cover historical contents. Historical contents includes World History, Indian History, and what happened today. The website also covers Entertainment across the India and World.
