SonicWall has issued a security alert, warning users of a sophisticated campaign distributing a tampered version of its popular NetExtender SSL VPN application. The compromised software is being used to steal sensitive user information, including VPN credentials.
In a joint investigation with Microsoft Threat Intelligence (MSTIC), SonicWall discovered that attackers created a near-identical replica of the official NetExtender client, modifying version 10.3.2.27 and signing it with a certificate issued to ‘Citylight Media Private Limited.’
The trojanized app is capable of harvesting usernames, passwords, domains, and VPN configuration data, then transmitting it to a remote server controlled by the threat actors.
Key components of the NetExtender installer were modified to bypass digital certificate validation and exfiltrate data once users click the 'Connect' button. Specifically, modifications were made to the NeService and NetExtender executables to enable the unauthorized data collection.
SonicWall and Microsoft have since taken action to dismantle the attack infrastructure, including taking down malicious websites and revoking the forged digital certificate. Detection signatures have also been updated across both companies' security platforms. SonicWall is urging users to download NetExtender only from official sources to reduce a risk of compromise.
In the meantime, Trezor, the company behind the eponymous hardware wallet has warned users about a phishing campaign that exploits its automated support system. The attackers submit fake support tickets using deceptive subject lines, prompting the system to send official-looking emails with those same subjects. This makes the phishing messages appear legitimate, tricking users into clicking malicious links like “vault.trezor.guide.”
