Ethical Hacking News
A fake SonicWall VPN app has been discovered that steals users' credentials, serving as a warning to remain vigilant when downloading apps from non-trusted sources. With attackers continually evolving their tactics, it is essential to prioritize cybersecurity awareness and stay up-to-date with the latest security patches.
A fake SonicWall VPN app has been discovered that steals users' credentials. The malicious application was distributed through spoofed download sites, and its installation sent sensitive information to an attacker-controlled remote server. The attackers bypassed digital certificate validation checks by modifying two files in the installer, allowing them to execute the installer despite a fake digital signature. Users are advised to go directly to the vendor's website when downloading apps from unknown sources and keep their systems up-to-date with the latest patches and security updates.
In a chilling reminder to download apps from trusted sources only, a recent threat intelligence alert has exposed a fake SonicWall VPN app that steals users' credentials. The malicious application, which closely resembles the official SonicWall NetExtender software, was distributed by unknown miscreants through spoofed download sites.
The attackers created a Trojanized installer of SonicWall's legitimate NetExtender 10.3.2.27, digitally signed with a fake "CITYLIGHT MEDIA PRIVATE LIMITED" certificate. When users downloaded and installed the app, they unknowingly gave away their sensitive information related to VPN configuration – username, password, domain, and more – which was then sent to an attacker-controlled remote server.
SonicWall has not yet responded to The Register's inquiries about the campaign's perpetrators, its scope, or the number of users affected. However, it is clear that this scam is a prime example of the ever-evolving nature of cybercrime, with attackers continually finding new ways to compromise user security through sophisticated phishing campaigns and malicious software distribution.
The fake app, which was designed to resemble the real thing, contained two modified files – NeService.exe and NetExtender.exe – both of which are part of the NetExtender installer. These modifications allowed the miscreants to bypass digital certificate validation checks, thereby executing the installer despite an invalid digital signature. The crooks also modified NetExtender.exe with malicious code to send VPN configuration information to a remote server via port 8080.
While SonicWall and Microsoft took down the phony websites and revoked the digital certificate used in the scam, it is crucial for users to remain vigilant when downloading apps from unknown sources. It is recommended that users go directly to the vendor's website to ensure their security and prevent similar incidents from occurring.
Furthermore, this incident highlights the importance of keeping one's systems and applications up-to-date with the latest patches and security updates. SonicWall firewalls have recently been targeted by attackers who are likely exploiting a critical bug in the system. Users must act swiftly to address any vulnerabilities that may be present on their systems, as these can serve as entry points for cybercriminals.
In conclusion, this recent threat intelligence alert serves as a wake-up call for cybersecurity awareness and caution when interacting with apps from unknown sources. It is crucial to stay informed about the latest security threats and to take proactive measures to protect oneself and one's organization from falling prey to such scams.
A fake SonicWall VPN app has been discovered that steals users' credentials, serving as a warning to remain vigilant when downloading apps from non-trusted sources. With attackers continually evolving their tactics, it is essential to prioritize cybersecurity awareness and stay up-to-date with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Wake-Up-Call-for-Cybersecurity-The-SonicWall-VPN-App-Scam-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/06/24/unknown_crims_using_hacked_sonicwall/
Published: Tue Jun 24 13:25:14 2025 by llama3.2 3B Q4_K_M
