SonicWall warns of fake VPN apps stealing user logins and putting businesses at risk - here's what we know

News
By published

A malicious VPN client is being distributed through fake websites

Laptop with warning symbols over the keyboard
(Image credit: Shutterstock)
  • SonicWall is warning hackers are distributing malicious VPN software
  • NetExtender is being modified and distributed through fake websites
  • The malicious software steals credentials and VPN configurations

Hackers have been spotted spoofing the SonicWall NetExtender SSL VPN client and distributing it through bogus webpages which mimic the official SonicWall site.

SonicWall and Microsoft Threat Intelligence (MSTIC) spotted the trojanized application and issued an advisory to warn users against downloading the fake software.

As NetExtender is used as a remote access VPN client, stolen VPN configuration data and VPN credentials can put both employees and businesses at risk of compromise.

Latest Videos From

Spoofed VPN client distributed through fake website

The fake VPN client is signed by "CITYLIGHT MEDIA PRIVATE LIMITED," giving it a limited level of authenticity which can fool some low level cyber protections.

The file was distributed using SEO poisoning and malvertising techniques which can make the fake website appear above the authentic site, especially in sponsored results.

Images showing fake digital certificate and modified executable files from the malicious SonicWall VPN software.

(Image credit: SonicWall)

Therefore, SonicWall has reminded users to only download software from legitimate sources, in this case, sonicwall.com and mysonicwall.com.

In the research conducted by SonicWall and MSTIC, they found two modified binaries of their product being distributed by the fake website; NEService.exe which was modified to bypass digital certificate checks; and NetExtender.exe was modified to steal the configuration data and credentials.

Images showing fake digital certificate and modified executable files from the malicious SonicWall VPN software.

(Image credit: SonicWall)

When all the necessary details are entered and the user clicks connect, the data which includes username, password, domain, and more, is extracted and sent to a remote server controlled by the hackers.

Both SonicWall’s and Microsoft’s cybersecurity tools can now detect the malicious software, but other third party software may not yet be configured to detect the files. It’s always a good idea to consult the best antivirus software to protect your devices from modified software and malicious files.

You might also like

TOPICS
Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.