It was noted that on March 2021, Mandiant Managed Defense an incident response unit of FireEye identified three zero-day vulnerability in SonicWall Email Security product which was executed to exploit the flaws to install backdoors, access emails and files, and also moves laterally in the victim’s network.

It was identified that some customers system which was internet-accessible has been compromised by the attackers by post-exploitation web shell activity. The unit isolated the compromised systems to collect the evidence to describe the attack procedure.

The information came that the system belongs to an application of SonicWall Email Security (ES) which runs on a standard Windows Server 2012 installation. The customers were contacted and the information was collected that the installation of SonicWall ES was the latest version available for download (10.0.9) and there was no information available publicly pertaining to vulnerabilities or any kind of exploitation.

The device which was exploited for zero-day attack of SonicWall Email Security (ES) was an email solution that “provides comprehensive inbound and outbound protection, and defends against advanced email-borne threats such as ransomware, zero-day threats, spear phishing and business email compromise (BEC).” The solution can be set-up as a physical appliance, virtual appliance, software installation, or a hosted SaaS solution.

It came into consideration that the attackers targeted the latest version of the Email Security application running on Windows Server 2012. The attacker first exploited CVE-2021-20021 to obtain administrative access to the SonicWall system, then went to CVE-2021-20023 to obtain files containing information on existing accounts and Active Directory credentials, and finally used CVE-2021-20022 to deploy a web shell named BEHINDER.

CVEs

The vulnerabilities tracked by the Common Vulnerability Exposures (CVEs) are:

1. CVE-2021-20021: A vulnerability that allows attacker to create an admin account by sending a crafted HTTP request to the targeted system. It has been rated as a critical with CVSS base score marked as 9.8.

The application of SonicWall Email Security has an authenticated control panel to provide administration power to authorize the additional administrator account from a separate Microsoft Active Directory Organization Unit (AU OU).

2. CVE-2021-20022: A vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. It has been rated as high with CVSS base score marked as 7.2.

SonicWall Email Security includes a feature called ‘branding’ similar to other enterprise products with a web-based user interface, it allows the admin to add or customize certain assets to the interface like company logos. The assets of branding are managed with the help of packages. The creation of new packages can be performed by uploading the ZIP archives which contained custom text, image files and layout setting. A lack of validation of file can facilitate an adversary to upload arbitrary files which can also include executable code like web shells.

3. CVE-2021-20023: A vulnerability that allows a post-authentication attacker to read an arbitrary file on the remote host. It has been rated as a medium vulnerability with base score marked as 4.9.

The three exploits were combined together to leveraged interchangeably by the adversary to perform the following actions:

1. Creation of a new Administrator account on the SonicWall ES device
2. Exposure of the hashed passwords for existing, locally configured Administrative accounts
3. The creation of a web shell in an arbitrary directory
4. Real-time debugging of exploitation success and failure

Detecting the Techniques

Some specific detection was performed by FireEye to provide an indicator of SonicWall or the post-exploitation activities identify with the adversary.

SonicWall has set-up the Intrusion Prevention System (IPS) in its firewall to detect and block the attacks that attempt to leverage the aforementioned vulnerabilities.

The following signatures have already been applied to SonicWall firewalls with active security subscriptions:

1. IPS Signature: 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability)
2. IPS Signature: 1067 WEB-ATTACKS Web Application Directory Traversal Attack 7
3. IPS Signature: 15509 WEB-ATTACKS Web Application Directory Traversal Attack 7 -c2

Product	Signature
FireEye Endpoint Security	•RUNDLL32.EXE COMSVCS.DLL PROCESS MINIDUMP (METHODOLOGY) •SUSPICIOUS REGISTRY EXPORTS (METHODOLOGY) •WEB SERVER ECHO REDIRECT (METHODOLOGY) •WEB SERVER CMD.EXE TYPE RECON (METHODOLOGY)
FireEye Network Security FireEye Email Security FireEye Detection On Demand FireEye Malware File Scanning FireEye Malware File Storage Scanning	•FE_PUP_Exploit_Linux_ZipSlip_1 •FE_Exploit_Win_ZipSlip_1 •FE_Trojan_ZIP_Generic_1 •FE_Webshell_JSP_BEHINDER_1 •FEC_Webshell_JSP_BEHINDER_1 •Webshell.JSP.BEHINDER •Webshell.JSP.BEHINDER.MVX
FireEye Helix	•METHODOLOGY – LFI [Null-Byte URI] •WMIEXEC UTILITY [Args] •WINDOWS METHODOLOGY [Unusual Web Server Child Process]

 

 

Remediation by SonicWall

SonicWall gave the statement that the vulnerabilities had impacted Email Security for Windows, hardware and ESXi virtual appliances also the hosted Email Security got affected but the version got patched automatically. The vendors released the IPS signatures to block and detect the attempts of attacks.

They released a security advisory for the two exploited vulnerabilities, but only released a public security notice to warn about exploitation attempts when the advisory released for the third flaw too.

The organization got the informing message form researcher Kevin Beaumont on twitter posting a tweet for the customers to update the patches but it seemed that the SonicWall had not reached out to its customers to inform them about the patches.

There is no exact remediation to safeguard from zero-day attack, no patches or antivirus signatures exist yet for zero-day exploits which makes them difficult to detect. But there are many ways to prepare and reduce the effectiveness of the threat that can commonly be performed. They are:

1. Regularly update the online infrastructures.
2. Secure the gateways of email, servers, and networks.
3. Enforcing least privilege principle.
4. Regular practice of cybersecurity hygiene.
5. Employ multilayered security defenses.