SonicWall has issued an alert to its customers regarding a compromised version of its SSL VPN NetExtender application, which is being exploited to obtain VPN configurations and user credentials. The company has reported that malicious actors have altered two critical files within the NetExtender app, commonly used by organizations to enable secure remote connections to their networks. Both SonicWall and Microsoft have implemented measures to curb the distribution of these malicious versions.
SonicWall SSL VPN Application Compromised by Threat Actors
This week, SonicWall released a security advisory detailing its findings regarding the compromised NetExtender SSL VPN application. Working alongside Microsoft Threat Intelligence (MSTIC), SonicWall identified a malicious version of the app, which was available for download on a website that hosted the tampered version of the latest release, version 10.3.2.27.
Files of the NetExtender application altered by the malicious actor
Photo Credit: SonicWall
According to SonicWall, the malicious version of the NetExtender app was digitally signed to evade security measures on Windows systems. This fraudulent signature was issued to “CITYLIGHT MEDIA Private LIMITED.”
Users who downloaded this counterfeit version of the SonicWall NetExtender VPN app would inadvertently install two altered components: “NeService.exe” and “NetExtender.exe.” Modifications to NeService.exe enabled the attacker to circumvent digital certificate validation when the app was executed.
In addition, the modified NetExtender.exe application was designed to gather sensitive information about the user’s VPN settings, including usernames, passwords, and domain details. This collected data would be transmitted to a remote server as soon as the user clicked the Connect button.
In response to these developments, SonicWall has enhanced its malware detection tools to automatically block the identified malicious software, flagged as GAV: Fake-NetExtender (Trojan). Additionally, Microsoft’s Windows Defender is set to detect the compromised version of the app, classified as the “SilentRoute” Trojan (“TrojanSpy:Win32/SilentRoute.A”).
The digital certificate that facilitated the signing of the installer has been revoked, and both companies are actively working to dismantle the websites that falsely impersonated the NetExtender VPN application. SonicWall has emphasized the importance of downloading software exclusively from its official website and avoiding third-party sources.
