Three Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks
SonicWall’s Email Security product is affected by three vulnerabilities that have been exploited in attacks. It took the vendor roughly two weeks to start releasing patches, but a public warning about active exploitation came only 25 days after it learned about the attacks.
FireEye, whose incident response unit Mandiant spotted the vulnerabilities and their active exploitation in March, warned on Tuesday that a threat actor had been observed exploiting the SonicWall Email Security flaws to install backdoors, access emails and files, and move laterally in the victim’s network.
For the time being, FireEye hasn’t been able to definitively link the attackers to any previously known group so it’s tracking the threat actor as UNC2682 — UNC stands for “uncategorized.” The company did note that the hackers appeared to have “intimate knowledge” of how the SonicWall product works.
One of the vulnerabilities exploited in attacks is tracked as CVE-2021-20021, a critical issue that allows a remote, unauthenticated attacker to create admin accounts by sending specially crafted HTTP requests to the targeted system.
The other vulnerabilities, identified as CVE-2021-20022 and CVE-2021-20023, can be exploited by authenticated attackers to upload arbitrary files and read arbitrary files from the host, respectively. These bugs have been assigned a medium severity rating based on their CVSS score, but they can be very dangerous when chained with CVE-2021-20021.
SonicWall says the vulnerabilities impact Email Security for Windows, as well as hardware and ESXi virtual appliances. Hosted Email Security is also affected, but this version is patched automatically. In addition to patches, the vendor has released IPS signatures to detect and block attack attempts.
SonicWall released security advisories for two of the exploited vulnerabilities on April 9 and 10, but only released a public security notice to warn about exploitation attempts on April 20, when it also released an advisory for the third flaw.
Researcher Kevin Beaumont warned organizations on April 13 about how serious the vulnerabilities appeared to be and on April 16 he said it seemed that SonicWall had not reached out to customers to urge them to patch — this was before it became publicly known that the vulnerabilities had been exploited.
SecurityWeek has reached out to SonicWall for clarifications and will update this article if the company responds.
In a blog post describing the vulnerabilities and the attacks, FireEye said the attackers targeted the latest version of the Email Security application running on Windows Server 2012. The hackers exploited CVE-2021-20021 to obtain administrative access to the SonicWall system, then leveraged CVE-2021-20023 to obtain files containing information on existing accounts and Active Directory credentials, and finally used CVE-2021-20022 to deploy a web shell named BEHINDER.
BEHINDER, which is similar to the notorious China Chopper web shell, gave the attackers unrestricted access to the compromised server.
“The adversary relied on ‘living off the land’ techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product,” FireEye researchers explained.
The cybersecurity firm said it locked out the hackers after they conducted some reconnaissance so it’s unclear what their objectives were.
This is the second time SonicWall has patched actively exploited vulnerabilities this year. The company revealed in January that its internal systems were targeted by highly sophisticated threats actors that had apparently exploited zero-day vulnerabilities in its Secure Mobile Access (SMA) products. Attacks exploiting one SMA zero-day flaw were later confirmed by other companies.