Attackers that seem to have “intimate knowledge” of the SonicWall Email Security product have been discovered leveraging three (at the time) zero-day vulnerabilities in the popular enterprise solution.
Exploited in conjunction, the flaws allowed the attacker to obtain administrative access and code execution on a SonicWall ES device, then install a backdoor, access files and emails, and move laterally into the victim organization’s network.
The SonicWall Email Security zero-day vulnerabilities and the discovered attack
The three vulnerabilities in question are:
CVE-2021-20021, which allowed attackers to create an unauthorized administrative account by sending a crafted HTTP request to the remote host
CVE-2021-20022, which allowed post-authenticated attackers to upload arbitrary files to the remote host
CVE-2021-20023, which allowed post-authenticated attackers to read arbitrary files from the remote host
“In March 2021, Mandiant Managed Defense identified post-exploitation web shell activity on an internet-accessible system within a customer’s environment. Managed Defense isolated the system and collected evidence to determine how the system was compromised,” Mandiant/FireEye researchers shared.
“The system was quickly identified as a SonicWall Email Security (ES) application running on a standard Windows Server 2012 installation. The adversary-installed web shell was being served through the HTTPS-enabled Apache Tomcat web server bundled with SonicWall ES. Due to the web shell being served in the application’s bundled web server, we immediately suspected the compromise was associated with the SonicWall ES application itself.”
An in-depth investigation revealed that the SonicWall ES installation was up-to-date and that the attackers tried to hide their presence by deleting application-level log entries.
They managed to upload malicious files (the BEHINDER web shell) on the host system and retrieve sensitive ..