Threat Actors Exploit SonicWall Email Security Vulnerabilities

Threat Overview

On Tuesday, April 20, 2021, California-based network services firm SonicWall reported that they have “verified, tested and published patches to mitigate three zero-day vulnerabilities to its hosted and on-premises email security products.” The CVEs involved are: 

  • CVE-2021-20021 – Allows unauthorized users to potentially create administrative accounts on a network by sending a crafted HTTP request to the remote host. 
  • CVE-2021-20022 – Allows a post-authenticated threat actor to potentially upload malicious files in arbitrary locations on a network. 
  • CVE-2021-20023 – Allows a post-authenticated threat actor to potentially retrieve and read files on a network. 

These previously undisclosed vulnerabilities were first identified by Mandiant Managed Defense in March 2021. According to FireEye’s threat research report, the threat actor used a combination of all three vulnerabilities to “obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.” 

SonicWall has confirmed that at least one of the vulnerabilities has been exploited ‘in the wild’ meaning it is actively being used by threat actors for malicious purposes. Customers using the SonicWall Email Security (ES) software installation or hardware and virtual appliances on Microsoft Windows Servier had been urged to upgrade immediately to one of the versions listed below: 

  • If using Email Security (ES) 10.0.4 – PresentEmail Security 10.0.3Email Security 10.0.2, or Email Security 10.0.1upgrade to Email Security 10.0.9.6173 (Windows)
  • If using Email Security (ES) 10.0.4 – PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1upgrade to Email Security 10.0.9.6177 (Hardware & ESXi Virtual Appliance)
  • If using Hosted Email Security (HES) 10.0.4 – Present, Hosted Email Security 10.0.3, Hosted Email Security 10.0.2, Hosted Email Security 10.0.1, upgrade to Hosted Email Security 10.0.9.6173 (Patched Automatically)

Currently, Mandiant is tracking this activity as UNC2682. For instructions on how to apply the updates, see SonicWall’s Knowledge Base article.  

Note: SonicWall Email Security versions 7.0.0 – 9.2.2 are also impacted. However, these legacy versions have reached end of life (EOL) and are no longer supported. 

What Does This Mean to Our Partners? 

While the threat actors exploiting these vulnerabilities were discovered and isolated by Mandiant, they were already successful in compromising one customer’s environment by deploying web shells on an internet-accessible system. As the attack was interrupted, the objectives of the mission are still unknown. Had the attack gone on unnoticed though, the threat actors could have accessed and read a victim’s files and emails, deployed malware, conducted further reconnaissance activities, and moved laterally to pivot deeper into the victim’s systems.  

The SonicWall Email Security line of products is designed to help customers protect their inbound and outbound emails from phishing attacks, ransomware, business email compromise (BEC) and other email-related threats. To know that a tool like this could have been used to gain footholds in targeted networks is a sobering realization that consistent threat hunting tactics and real-time response are needed to protect your environments from evolving attack tactics such as this one.  

How to Protect Yourself and Your Clients 

Enhance your security stack with Blackpoint Cyber’s ability to deliver real-time threat alerts and immediate response. Our experienced Managed Detection & Response (MDR) team responds 24/7/365 to critical threats by isolating infected devices and terminating malicious software, immediately helping to eradicate a malicious actor’s foothold in your network. Further, our patented SNAP-Defense Security Operations & Incident Response platform allows us to detect lateral movement in its earliest stages and then neutralize threats before they have a chance to spread.  

Don’t wait to get on the defense. Contact us today to protect your business and your clients. 

Get More Information 

BlackPoint Cyber