SonicWall has warned of ongoing intrusions leveraging a trojanized installer of its NetExtender SSL VPN application to pilfer VPN credentials, The Register reports.
Malicious actors used fake download sites to spread the weaponized NetExtender installer signed with a counterfeit "CITYLIGHT MEDIA PRIVATE LIMITED" certificate, the execution of which allowed the exfiltration of usernames, passwords, domains, and other VPN configuration-related data, according to SonicWall, which discovered the infostealer malware campaign with Microsoft. Further analysis of the fraudulent NetExtender app revealed a pair of executable files present in the original installer that have been modified to allow circumvention of validation checks and VPN configuration information delivery to a remote server with the IP address 132.196.198.163 over port 8080. Additional details regarding the extent of the intrusion, as well as its perpetrators, have not been provided by SonicWall, which has already moved to disrupt all websites with the malicious installer, as well as revoke the erring digital certificate.
Malicious actors used fake download sites to spread the weaponized NetExtender installer signed with a counterfeit "CITYLIGHT MEDIA PRIVATE LIMITED" certificate, the execution of which allowed the exfiltration of usernames, passwords, domains, and other VPN configuration-related data, according to SonicWall, which discovered the infostealer malware campaign with Microsoft. Further analysis of the fraudulent NetExtender app revealed a pair of executable files present in the original installer that have been modified to allow circumvention of validation checks and VPN configuration information delivery to a remote server with the IP address 132.196.198.163 over port 8080. Additional details regarding the extent of the intrusion, as well as its perpetrators, have not been provided by SonicWall, which has already moved to disrupt all websites with the malicious installer, as well as revoke the erring digital certificate.
