Threat Actors Exploiting 3 SonicWall Email Security Vulnerabilities

April 21, 2021 - Entities using SonicWall Hosted Email Security (HES) are being urged to prioritize the patching of three zero-day vulnerabilities within the software, which researchers have observed being exploited in the wild.

The SonicWall HES platform can be deployed on-prem, virtually, as software, or a host SaaS. It provides both inbound and outbound security protection, as well as defense against email-borne threats.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is also urging entities to apply the mitigation steps.

The flaws were disclosed as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023. FireEye's Mandiant shed light on the active campaign targeting these flaws in a recent report, which the security firm researchers first observed and disclosed to SonicWall in March.

One is a pre-authentication administrative account creation flaw, caused by an improperly secured API endpoint that would enable an attacker to potentially create an admin account by sending a tailored HTTP request to the remote host.

READ MORE: 50% Phishing Emails Seek Credential Theft, as Malware Delivery Declines

The second would allow a post-authenticated hacker to upload an arbitrary file to the remote host through a “branding” feature. Due to the lack of file validation, an adversary could leverage the feature to upload arbitrary files, including executable code like web shells.

Mandiant researchers stressed that the branding feature is not unique to SonicWall. Thus, the flaw may exist within the code libraries of other email security platforms.

The last flaw also exists within the branding feature. The traversal vulnerability would enable a post-authenticated attacker to potentially read an arbitrary file from the remote host.

Mandiant discovered the flaws after identifying post-exploitation web shell activity on an internet-accessible system within a customer’s environment. After isolating the system, evidence was collected to determine the point of compromise and found to be a SonicWall ES application running on Windows Server 2012.

The malicious web shell was being served through the HTTPS-enabled Apache Tomcat web server, bundled with the SonicWall platform, further evidence that the compromise was tied to the application, researchers explained.

READ MORE: Emotet Malware Returns with 100K Daily Emails, New Evasion Tactics

Upon contacting SonicWall, Mandiant determined the affected customer was operating with the latest version of the platform with no publicly known information tied to the exploited flaws or the in-the-wild exploitation.

Leveraging endpoint telemetry data, the team found “post-exploitation activity aimed at destroying evidence on the system, executed in the context of the web shell. The adversary executed the following command, shortly after installing the web shell.”

“These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device,” researchers explained. 

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” they added.

The malicious command deleted the most recent log entries from the application. Researchers explained that this move may provide evidence that the attacker had intimate knowledge of the application's function.

READ MORE: Best Practice Cybersecurity to Prevent Business Email Compromise

Further examination of the exploit determined the adversary interchangeably combined all three of the exploits. The attack led to the actor creating a new admin account on the SonicWall ES device and the exposure of hashed passwords for existing, locally configured admin accounts.

The exploit also led to the creation of a web shell in an arbitrary directory, as well as real-time debugging of the exploitation success and failure.

As the researchers continued to monitor the device, the adversary returned to the victim’s system “presumably after working to recover passwords from the registry hives and process memory that was dumped earlier.”

“At the time of activity, the victim organization was using the same local administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account — highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” researchers noted.

“We observed the adversary leveraging Impacket’s publicly available WMIEXEC.PY tool to access several internal hosts, which enabled remote command execution over Microsoft's DCOM protocol via Windows Management Instrumentation,” they added. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

The flaws exist in both its hosted and on-premise email security products versions 10.0.1 to 10.0.3. Versions 7.0.0 through 9.2.2 are also affected by the vulnerabilities but are in the end-of-life stage and no longer supported by SonicWall.

Those entities still leveraging legacy product versions with an active support license can download the latest versions from their account, while those without a license were encouraged to contact the vendor.

The SonicWall disclosure includes step-by-step mitigation for immediate remediation of the flaws.

Meanwhile, Mandiant recommends the monitoring of certain telemetry indicators to find potential indicators of compromise, including child processes of the web server process “tomcat” and the creation or existence of web shells of servers that host the impacted platform.

Further, administrators should review SonicWall-related internal configuration files and logs to find possible, past adversary activity.