- SonicWall is warning hackers are distributing malicious VPN software
- NetExtender is being modified and distributed through fake websites
- The malicious software steals credentials and VPN configurations
Hackers have been spotted spoofing the SonicWall NetExtender SSL VPN client and distributing it through bogus webpages which mimic the official SonicWall site.
SonicWall and Microsoft Threat Intelligence (MSTIC) spotted the trojanized application and issued an advisory to warn users against downloading the fake software.
As NetExtender is used as a remote access VPN client, stolen VPN configuration data and VPN credentials can put both employees and businesses at risk of compromise.
Spoofed VPN client distributed through fake website
The fake VPN client is signed by “CITYLIGHT MEDIA PRIVATE LIMITED,” giving it a limited level of authenticity which can fool some low level cyber protections.
The file was distributed using SEO poisoning and malvertising techniques which can make the fake website appear above the authentic site, especially in sponsored results.
Therefore, SonicWall has reminded users to only download software from legitimate sources, in this case, sonicwall.com and mysonicwall.com.
In the research conducted by SonicWall and MSTIC, they found two modified binaries of their product being distributed by the fake website; NEService.exe which was modified to bypass digital certificate checks; and NetExtender.exe was modified to steal the configuration data and credentials.
When all the necessary details are entered and the user clicks connect, the data which includes username, password, domain, and more, is extracted and sent to a remote server controlled by the hackers.
Both SonicWall’s and Microsoft’s cybersecurity tools can now detect the malicious software, but other third party software may not yet be configured to detect the files. It’s always a good idea to consult the best antivirus software to protect your devices from modified software and malicious files.
Leave a comment