Hackers Exploit Three 0-day Vulnerabilities in SonicWall ES

The manufacturer released fixes for vulnerabilities, but only announced them a week later.


Hackers exploit three zero-day vulnerabilities in the SonicWall product to hack corporate networks and install backdoors. The attacks were first discovered by the information security company FireEye in March 2021, when one of its clients turned to it for help in eliminating the consequences of a security incident.

According to FireEye, attackers exploited three previously unknown vulnerabilities in the SonicWall ES email security solution, which scans email traffic for cyber threats.

A cybercriminal group is behind the attacks, which FireEye experts assigned the identifier UNC2682. The hackers exploited an authentication bypass vulnerability ( CVE-2021-20021 ), were able to read files on the device ( CVE-2021-20023 ), and modified local files to install backdoor web shells ( CVE-2021-20022 ). The researchers explained that the attackers used these vulnerabilities in various combinations to achieve their goals.

The attack proceeds as follows: hackers gain access to SonicWall ES installations and create new administrator accounts or steal passwords of existing users. Attackers also extract account data files from SonicWall ES devices, including Active Directory credentials used by applications to connect to the local network.

In the final stage of the attack, the hackers download a version of the BEHINDER JSP web shell into the device's built-in Tomcat Java web server, which they then use to run commands on the operating system. These commands allow attackers to gather additional details about the attacked corporate network. According to the researchers, the hackers used the collected data to infiltrate the network, a few days after they were stolen.

SonicWall patched all three vulnerabilities on April 13, 2021, but did not provide any details about them at the time. It wasn't until April 20 that the company announced that they were already being used in real attacks.