21 April 2021

Three SonicWall zero-days exploited to install a backdoor on devices


Three SonicWall zero-days exploited to install a backdoor on devices

A hacker group has exploited three previously unknown vulnerabilities in SonicWall’s Email Security (ES) product to gain administrative access and code execution on a SonicWall ES device.

The three zero-day are CVE-2021-20021 (improper authentication), CVE-2021-20022 (arbitrary file upload), and CVE-2021-20023 (path traversal). The bugs have been discovered by the cybersecurity firm FireEye while investigating an incident at one of its customers.

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” FireEye explained in its press release.

The attack was first detected on March 26, 2021, after FireEye's Mandiant subsidiary identified post-exploitation web shell activity on an internet-accessible system within a customer's environment that had SonicWall's Email Security (ES) application running on a Windows Server 2012 installation.

After obtaining administrative access to the device, the threat actor, to which FireEye gave the moniker UNC2682, uploaded Behinder, a publicly available web shell that accepts encrypted command and control (C2) communications, which gave them unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account.

“After clearing the SonicWall application “webui.json” log file, the adversary escalated their attack to credential harvesting in preparation of moving laterally into the victim's network. The adversary relied on “living off the land” techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product,” according to the report.

FireEye says it had managed to thwart the attack so it’s not clear what the attacker’s final goal was.

SonicWall users are strongly advised to upgrade to 10.0.9.6173 Hotfix for Windows and 10.0.9.6177 Hotfix for hardware and ESXi virtual appliances. The SonicWall Hosted Email Security product was automatically patched on April 19 thus no additional action is required.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024