Application security, Breach, Data Security

Someone is using SonicWall’s email security tool to hack customers

SonicWall noted that the exploitation targets a known vulnerability that has been patched in newer versions of firmware.  (SonicWall)

SonicWall’s email security solution is supposed to help protect customers from phishing attacks, business email compromise, ransomware and other email related threats. However, it appears some attackers have been using previously unknown cybersecurity vulnerabilities in the very same product to break into victim networks.  

Yesterday, the company announced three zero-day vulnerabilities found in SonicWall Email Security. They include a damaging bug that allows an unauthorized user to create administrative accounts on a network (CVE-2021-20021) and two others that allow an already-authenticated attacker to read (CVE-2021-20023) and upload (CVE-2021-20022) files on the victim’s remote host. Together they can be used to access and read a victim’s files or emails, plant malware and conduct other post-compromise activities.

SonicWall said the flaws were discovered during “standard collaboration and testing” and there is evidence at least one of those vulnerabilities is being actively exploited by attackers. A report by Mandiant issued on the same day claims that they first disclosed them to SonicWall on March 26. There are patches available now for all three vulnerabilities.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild,’” the company said on April 20. “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade” to patched versions.

According to a report from the Mandiant team at FireEye, which helped identify the vulnerabilities, an unnamed threat actor leveraged these zero-days along with “intimate knowledge” of SonicWall’s application code in March to plant a backdoor on a victim organization’s network, gain access to emails and files and use it as a foothold to move to other parts of the network. The threat intelligence firm found web shells on a fully-patched, internet-connected version of the email security solution that indicated post-exploitation activity, including efforts to delete application-level log entries.

“While clearing log files is a standard anti-forensics technique, understanding the location of internal log files generated by applications is usually overlooked by most spray-and-pray attackers. This added fuel to our suspicion that we were dealing with an adversary who had intimate knowledge of how the SonicWall ES application worked,” wrote FireEye researchers Josh Fleischer, Chris DiGamo and Alex Penino.

The Mandiant researchers noted that some of the vulnerabilities – like the ability to upload ZIP archives normally used for photos, logos and other branding images to upload web shells and other malicious code – are not unique to SonicWall or its products. Rather, they most likely came from bits and pieces of code hosted in open source libraries or repositories that get used and re-used across many different products, a problem that plagues the software industry writ large.

The intrusion attempt in March, which Mandiant said it was able to stop before the attacks succeeded, was likely carried out by a group they call UNC2682. Short for “Uncategorized Groups,” UNCs are the label FireEye gives to observed clusters of hacking activities that may (or may not) be related. As evidence of attribution and connections become solid, UNC groups are sometimes “graduated” to full-fledged APT or FIN groups later on. Mandiant doesn’t provide much detail about who is behind UNC2682, and because the attack was thwarted they could not discern what the group’s end goals might have been, whether profit, espionage or other reasons.

The report also contains indicators of compromise, telemetry monitoring tips and other guidance for customers who use SonicWall’s email solution.

It’s the second time SonicWall has been hit with an attack leveraging previously unknown weaknesses in their security products this year. In January, the company disclosed that malicious hackers had leveraged a zero-day exploit for their Secure Mobile Access VPN client after SC Media contacted them following an anonymous tip. In September 2020, the company was criticized by security researchers for taking more than two weeks to fix a reported firewall and VPN access flaw that impacted 500,000 organizations and 1.9 million SonicWall user groups.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.