Attackers that seem to have “intimate knowledge” of the SonicWall Email Security product have been discovered leveraging three (at the time) zero-day vulnerabilities in the popular enterprise solution.
Exploited in conjunction, the flaws allowed the attacker to obtain administrative access and code execution on a SonicWall ES device, then install a backdoor, access files and emails, and move laterally into the victim organization’s network.
The SonicWall Email Security zero-day vulnerabilities and the discovered attack
The three vulnerabilities in question are:
- CVE-2021-20021, which allowed attackers to create an unauthorized administrative account by sending a crafted HTTP request to the remote host
- CVE-2021-20022, which allowed post-authenticated attackers to upload arbitrary files to the remote host
- CVE-2021-20023, which allowed post-authenticated attackers to read arbitrary files from the remote host
“In March 2021, Mandiant Managed Defense identified post-exploitation web shell activity on an internet-accessible system within a customer’s environment. Managed Defense isolated the system and collected evidence to determine how the system was compromised,” Mandiant/FireEye researchers shared.
“The system was quickly identified as a SonicWall Email Security (ES) application running on a standard Windows Server 2012 installation. The adversary-installed web shell was being served through the HTTPS-enabled Apache Tomcat web server bundled with SonicWall ES. Due to the web shell being served in the application’s bundled web server, we immediately suspected the compromise was associated with the SonicWall ES application itself.”
An in-depth investigation revealed that the SonicWall ES installation was up-to-date and that the attackers tried to hide their presence by deleting application-level log entries.
They managed to upload malicious files (the BEHINDER web shell) on the host system and retrieve sensitive configuration files from it, which contained details about existing accounts and Active Directory credentials used by the application.
They used tools already present on the system to recover password hashes and LSA secrets and collect and compress daily archives of emails processed by the solution.
A first bout of attacker activity was followed by a second one several days later, when they leveraged the obtained credentials to move laterally on the network, access a variety of other hosts and, essentially, perform reconnaissance. Fortunately, their activities have been noticed and cut short, so their ultimate goal remains unknown.
Some of the actions the attackers effected demonstrate their familiarity with the innards of the SonicWall Email Security solution and their skill at employing tactics to hide their presence from defenders.
Patches are available
The vulnerabilities affect SonicWall Email Security hardware appliances, virtual appliances and software installations on Microsoft Windows Server. The affected versions are listed in SonicWall’s security notice.
Patched versions are available for all except legacy versions that are no longer supported, and the company urges customers to upgrade immediately.