Specialists fixed three 0-day vulnerabilities in SonicWall ES
FireEye experts warned that hackers are using three 0-day vulnerabilities in SonicWall products to break into corporate networks and install backdoors. These attacks were discovered in March 2021.
The issues affect SonicWall Email Security (SonicWall ES), an email security solution that companies use in the cloud or on-premises to scan email traffic.
The following identifiers were assigned to the vulnerabilities: CVE-2021-20021 (CVSS 9.4, bypass authentication, create an administrator account), CVE-2021-20023 (CVSS 6.7, read local files) and CVE-2021-20022 (CVSS 6, 7, modifying local files, or loading backdoor web shells).
FireEye is tracking the aforementioned hack group under the codename UNC2682. The attackers are known to have exploited three vulnerabilities in various combinations. Typically, their attacks were aimed at gaining access to the SonicWall ES device in order to create a new administrator account or steal passwords of existing users.
Attackers also extracted files from SonicWall ES devices that contained detailed information about existing accounts, including Active Directory credentials.
In the end, the attackers downloaded a variation of the BEHINDER JSP web shell to the Tomcat Java embedded web server, which was then used to execute commands on the underlying OS. This allowed UNC2682 to collect additional information about the company’s internal network.
“We watched as attackers executed the reg save command to dump from the HKLM\SAM, HKLM\SYSTEM and HKLM\SECURITY registries, which contain important information for recovering password hashes and LSA secrets. Additionally, attackers collected sensitive credentials from memory using built-in memory dump techniques. In particular, it was noticed that the attackers caused the MiniDump-export of Windows DLL comsvcs.dll to dump both the process memory for lsass.exe and the running Apache Tomcat”, — the researchers say.
Although the SonicWall developers released fixes for vulnerable devices last week, it wasn’t until April 20, 2021, that is, a week later, that the company announced that these problems were already being exploited by hackers. Because of this, security experts again criticize SonicWall, claiming that the company does not respond correctly to vulnerabilities and does not publish information in a timely manner so that system administrators can prioritize patching.
Let me remind you that I also wrote that FireEye claims that two hack groups use the 0-day vulnerability in Pulse Secure VPN to attack the networks of US Department of Defense contractors and government organizations around the world.