21 April 2021

Three SonicWall zero-days exploited to install a backdoor on devices


Three SonicWall zero-days exploited to install a backdoor on devices

A hacker group has exploited three previously unknown vulnerabilities in SonicWall’s Email Security (ES) product to gain administrative access and code execution on a SonicWall ES device.

The three zero-day are CVE-2021-20021 (improper authentication), CVE-2021-20022 (arbitrary file upload), and CVE-2021-20023 (path traversal). The bugs have been discovered by the cybersecurity firm FireEye while investigating an incident at one of its customers.

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” FireEye explained in its press release.

The attack was first detected on March 26, 2021, after FireEye's Mandiant subsidiary identified post-exploitation web shell activity on an internet-accessible system within a customer's environment that had SonicWall's Email Security (ES) application running on a Windows Server 2012 installation.

After obtaining administrative access to the device, the threat actor, to which FireEye gave the moniker UNC2682, uploaded Behinder, a publicly available web shell that accepts encrypted command and control (C2) communications, which gave them unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account.

“After clearing the SonicWall application “webui.json” log file, the adversary escalated their attack to credential harvesting in preparation of moving laterally into the victim's network. The adversary relied on “living off the land” techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product,” according to the report.

FireEye says it had managed to thwart the attack so it’s not clear what the attacker’s final goal was.

SonicWall users are strongly advised to upgrade to 10.0.9.6173 Hotfix for Windows and 10.0.9.6177 Hotfix for hardware and ESXi virtual appliances. The SonicWall Hosted Email Security product was automatically patched on April 19 thus no additional action is required.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021