A hacker group has exploited three previously unknown vulnerabilities in SonicWall’s Email Security (ES) product to gain administrative access and code execution on a SonicWall ES device.
The three zero-day are CVE-2021-20021 (improper authentication), CVE-2021-20022 (arbitrary file upload), and CVE-2021-20023 (path traversal). The bugs have been discovered by the cybersecurity firm FireEye while investigating an incident at one of its customers.
“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” FireEye explained in its press release.
The attack was first detected on March 26, 2021, after FireEye's Mandiant subsidiary identified post-exploitation web shell activity on an internet-accessible system within a customer's environment that had SonicWall's Email Security (ES) application running on a Windows Server 2012 installation.
After obtaining administrative access to the device, the threat actor, to which FireEye gave the moniker UNC2682, uploaded Behinder, a publicly available web shell that accepts encrypted command and control (C2) communications, which gave them unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account.
“After clearing the SonicWall application “webui.json” log file, the adversary escalated their attack to credential harvesting in preparation of moving laterally into the victim's network. The adversary relied on “living off the land” techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product,” according to the report.
FireEye says it had managed to thwart the attack so it’s not clear what the attacker’s final goal was.
SonicWall users are strongly advised to upgrade to 10.0.9.6173 Hotfix for Windows and 10.0.9.6177 Hotfix for hardware and ESXi virtual appliances. The SonicWall Hosted Email Security product was automatically patched on April 19 thus no additional action is required.