SonicWall Breach: Reacting to Threats as an MSP


What happens when SonicWall, one of your biggest vendors, announces a potential cybersecurity threat over the weekend? If you’re us, you get to work.


A potential SonicWall vulnerability that potentially affected our clients

On Saturday morning, our team woke up to the news that one of our vendors, SonicWall, released an urgent security notice. Some of their products — NetExtender VPN and Secure Mobile Access (SMA) series — had potentially been attacked by what they described as “highly sophisticated threat actors exploiting probable zero-day vulnerabilities.”

As a Managed Service Provider (MSP), we have designed, implemented, and protected the technology infrastructure for hundreds of businesses and organizations. We’ve implemented remote access solutions for years, but COVID sent interest into overdrive. Coming up on almost a year now, we began informing our clients about their options and setting up solutions to make remote work as safe, easy, and productive as possible. Our remote work solutions include products that were now potentially under attack.


Immediate action to mitigate SonicWall’s cybersecurity risk

Some of our team immediately hopped on a call together to discuss what was going on and how it impacted us. As IT professionals, we’ve developed an incident response plan for situations like this. SonicWall had given us a true test of how well we could handle a situation like this.

We set out to limit exposure and mitigate risk — following a philosophy of “better safe than sorry” is key for cybersecurity incidents like this. The minute we heard of the vulnerability, we took proactive action and disabled NetExtender instead of waiting to hear any further updates.

We wanted to ensure our clients had 0% chance of risk in case the products they used for remote access were truly affected.

We delegated across ourselves to plan our response, having some members managing our technical response and others reaching out to clients. We sent emails to clients (and some of our own staff) who would be affected. The fact that this occurred over the weekend certainly made it less disruptive, but we do have clients who work on the weekends and would be inconvenienced. We wanted to make sure everyone understood that nothing was confirmed to be at risk, and that this was just a proactive action until SonicWall shared more details. Our clients appreciated our communication and responsiveness, with most becoming aware of this SonicWall vulnerability through us.

Fortunately, we had a backup option in the form of RemoteApp. This was already set in place, so anyone who relied on NetExtender could use this resource in the meantime. Because we already had a plan in place, we were able to deal with this unexpected uncertainty.


A test of our plan is just that: a test

And later in the night, SonicWall released an update to their security advisory which narrowed down the scope of affected systems. The affected systems are not used in Integris’s environment and we have never sold or used them for clients. This was great news for us and our clients.

It’s easy for outsiders to look back and think that we overreacted in our response. But imagine if the vulnerability was with NetExtender! We would have exposed our clients to unnecessary risk by not taking enough proactive measures. Nobody can see an individual incident coming. But we can plan for incidents that we assume we might face, in some fashion, one day.

This incident gave us an opportunity to practice our incident response plan and our team responded exceptionally well. Huge shoutout to our team — especially CK, AJ, Evan, Lorin, Anthony, Nick, and Jim, for making themselves available and tirelessly working throughout the day to keep our clients secure.

Interested in what our IT services and cybersecurity options can do for your company? We’re happy to have a conversation, so feel free to contact us today.

We're Integris. We're always working to empower people through technology.

Keep reading