SonicWall has recently identified a malicious campaign involving a compromised version of its NetExtender application, which is being used to illicitly collect user information. NetExtender is an SSL VPN client that enables remote users to securely access enterprise resources, facilitating file transfers, network drive access, and more.
In collaboration with Microsoft Threat Intelligence Center (MSTIC), SonicWall discovered that attackers have created a deceptive version of the NetExtender application. This counterfeit software closely mimics the legitimate NetExtender client, making it challenging for users to distinguish between the two.
The fraudulent application is based on the latest official release of NetExtender (version 10.3.2.27) but has been altered to include malicious code. Notably, it is digitally signed with a certificate issued to Citylight Media Private Limited, which is not associated with SonicWall. This digital signature may give users a false sense of security, leading them to trust the compromised software.
The embedded malicious code is designed to extract sensitive information related to the user’s VPN configuration and transmit it to a remote server controlled by the attackers. Specifically, the threat actors have modified two key components of the NetExtender installer:
1. NeService Executable: The attackers altered a function responsible for validating the digital certificates of NetExtender components. This modification ensures that files are executed regardless of their validation status, effectively bypassing security checks.
2. NetExtender Executable: The malicious code within this component activates when the user clicks the ‘Connect’ button. It performs validation of the VPN configuration and sends the gathered information—including the username, password, domain, and other critical data—to the attacker’s server.
The implications of this breach are significant. With access to VPN credentials, attackers can potentially infiltrate corporate networks, leading to data breaches, unauthorized access to sensitive information, and disruption of business operations. The stealthy nature of this attack underscores the importance of vigilance when downloading and installing software, even from seemingly trustworthy sources.
Recommendations for Users:
– Verify Software Sources: Always download software directly from official and reputable sources. Avoid third-party websites or links received through unsolicited communications.
– Check Digital Signatures: Before installing any software, verify its digital signature to ensure its authenticity. Be cautious of software signed by unfamiliar entities.
– Regularly Update Software: Keep all applications, especially security-related ones like VPN clients, updated to the latest versions to benefit from security patches and improvements.
– Monitor Network Activity: Implement network monitoring tools to detect unusual activities that may indicate unauthorized access or data exfiltration.
– Educate Employees: Conduct regular training sessions to inform employees about the risks of downloading and installing software from unverified sources and the importance of cybersecurity best practices.
SonicWall and Microsoft have taken steps to mitigate this threat by taking down the malicious websites distributing the compromised NetExtender installer and revoking the associated digital certificate. However, users must remain proactive in safeguarding their systems against such sophisticated attacks.
