Hackers go after SonicWall email appliances with three zero-days

A hacking group has used three zero-day vulnerabilities impacting SonicWall products to breach corporate networks and install backdoors, security firm FireEye said in a report on Tuesday.

The attacks were first discovered in March 2021 by FireEye analysts responding to a security incident at one of their customers.

The US security firm said the attacks used three previously unknown vulnerabilities —known as zero-days— to target SonicWall ES, an email security appliance that companies use in a cloud-hosted or on-premises format to scan email traffic for security threats.

UNC2682 abused three SonicWall zero-days to plant web shells

The attackers, which FireEye said it was tracking under a codename of UNC2682, used the three zero-days to bypass authentication (CVE-2021-20021), read sensitive files on the device (CVE-2021-20023), and modify local files or upload web shells which they could use as backdoors (CVE-2021-20022).

FireEye said the attackers used the three zero-days in different combinations to achieve their goals.

Standard UNC2682 attacks typically involved the hackers accessing a SonicWall ES appliance to create a new admin account or dump passwords for existing users.

The attackers also extracted files from the SonicWall ES devices that contained details about existing accounts, including Active Directory credentials used by the application to connect to the local network.

As a final step, the threat actors then uploaded a version of the BEHINDER JSP web shell in the appliance's built-in Tomcat Java web server, which they used to run commands on the underlying operating system, commands that allowed UNC2682 to collect additional details about the hacked company's internal network. FireEye explains:

We observed the adversary executing the reg save command to dump the HKLM\SAM, HKLM\SYSTEM, and HKLM\SECURITY registry hives, which contain vital information in recovering password hashes and LSA secrets. Additionally, the adversary obtained in-memory sensitive credentials through the use of built-in memory dumping techniques. The adversary was observed invoking the MiniDump export of the Windows DLL comsvcs.dll to dump both the process memory for lsass.exe and the running instance of Apache Tomcat.

FireEye said that the collected data was used after a few days for the attacker to attempt to move inside the victim's network.

SonicWall faces criticism for another botched response

SonicWall released patches for affected appliances last week on April 13.

At the time, the company did not release any information about the nature or severity of these issues, which drew criticism from device owners.

It was only on Tuesday, April 20, a full week later, that SonicWall finally came forward to reveal that the three bugs it patched a week earlier had been actively exploited in the wild, a small detail that many system administrators would have most likely wanted to know a week earlier in order to prioritize patching.

This is the second time this year that SonicWall has botched the response to zero-day vulnerabilities exploited in its products.

In late January 2021, the company previously disclosed that it was itself hacked using a zero-day in its Secure Mobile Access (SMA) gateways. A week later, security firm NCC Group detected threat actors exploiting a mysterious SonicWall zero-day in its SMA devices. At the time, SonicWall wasn't even able to tell if the two zero-days were the same, as pointed out by infosec podcast Risky Business.

Currently, SonicWall has advised all ES appliance owners that it is "imperative" to apply the latest patches.