SonicWall Says Malicious NetExtender Client Used to Steal VPN Credentials

SonicWall has issued an advisory that informs clients {that a} malicious model of its SonicWall SSL VPN NetExtender app is getting used to steal VPN configuration and credentials. The firm warns that menace actors have modified two information utilized by the NetExtender VPN software, which is utilized by a number of organisations to permit distant customers to securely join to the primary community. Microsoft and SonicWall have taken measures to block the unfold of the modified variations of the NetExtender software.

SonicWall NetExtender VPN Application Was Digitally Signed By Threat Actors

In a safety advisory issued earlier this week, SonicWall stated that it detected the modified model of the NetExtender SSL VPN software in collaboration with Microsoft Threat Intelligence (MSTIC). The malicious model of the app was hosted on an internet site that allowed customers to obtain the trojanised model of the newest launch, model 10.3.2.27.

The NetExtender software information modified by the menace actor
Photo Credit: SonicWall

According to the corporate, the menace actors digitally signed the trojanised model of the NetExtender app, which allowed it to bypass safety checks on Windows. It was signed utilizing a digital certificates issued to “CITYLIGHT MEDIA Private LIMITED”.

If a person downloaded the faux model of the SonicWall NetExtender VPN app, it will set up two modified functions, “NeService.exe” and “NetExtender.exe”. The menace actor’s modifications to the NeService.exe allowed them to bypass the digital certificates checks carried out when the app is loaded.

Meanwhile, the modified NetExtender.exe software would accumulate particulars concerning the person’s VPN configuration, together with their username, password, area, and different info. These could be despatched to a distant server as soon as the person clicked the Connect button.

SonicWall has up to date its malware detection instrument and can mechanically block the malicious software program after figuring out it as GAV: Fake-NetExtender (Trojan). Microsoft’s Windows Defender software program will even detect the trojanised model of the app, which is categorised as “SilentRoute” Trojan (“TrojanSpy:Win32/SilentRoute.A”)

The digital certificates used to signal the installer has additionally been revoked, and the businesses labored to take down the web sites that have been getting used to impersonate the NetExtended VPN software. Meanwhile, SonicWall has urged customers to obtain the applying from its web site as an alternative of utilizing third occasion sources.