Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers deploy fake SonicWall VPN App to steal corporate credentials

Hackers spread a trojanized version of SonicWall VPN app to steal login credentials from users accessing corporate networks. Unknown threat actors are distributing a trojanized version of SonicWall NetExtender SSL VPN app to steal user credentials. The legitimate NetExtender app lets remote users securely access and use company network resources as if they were on-site. […]

SonicWall SonicOS

Hackers spread a trojanized version of SonicWall VPN app to steal login credentials from users accessing corporate networks.

Unknown threat actors are distributing a trojanized version of SonicWall NetExtender SSL VPN app to steal user credentials. The legitimate NetExtender app lets remote users securely access and use company network resources as if they were on-site.

The malware-laced version, tracked as SilentRoute by Microsoft Threat Intelligence (MSTIC), mimics the legitimate software that allows remote access to company networks. Users installing the rogue app unknowingly expose their data, as attackers exploit it to gain unauthorized access and steal sensitive information.

A fake NetExtender site hosts a trojanized version signed by “CITYLIGHT MEDIA PRIVATE LIMITED” that steals VPN config data and sends it to a remote server, SonicWall warns.

“The threat actor modified the following component files,” reads the advisory, “which are part of the NetExtender installer, to execute the application and send configuration information to a remote server:

  • NetExtender.exe (Modified file; no digital signature)”
  • NeService.exe (Modified file; digital signature is invalid)
SonicWall VPN

The SonicWall NetExtender service normally checks the validity of its components’ digital certificates before running. If validation fails, it stops. In the trojanized version, attackers modified the code to bypass these checks, letting the program run even if validation fails. They also injected code into NetExtender.exe to steal VPN credentials, like username, password, and domain, and send them to a remote server (132[.]196.198.163:8080) as soon as the user clicks “Connect.”

SonicWall and Microsoft promptly took down the malicious sites hosting a trojanized NetExtender and revoked its certificate. Users should download the app only from official sources. The malware, dubbed “SilentRoute,” is detected by both SonicWall and Microsoft security tools.

The company also published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)