Someone is using SonicWall’s email security tool to hack customers

SonicWall announced three zero-day vulnerabilities in its email security solution. (SonicWall)

SonicWall’s email security solution is supposed to help protect customers from phishing attacks, business email compromise, ransomware and other email related threats. However, it appears some attackers have been using previously unknown cybersecurity vulnerabilities in the very same product to break into victim networks.  

Yesterday, the company announced three zero-day vulnerabilities found in SonicWall Email Security. They include a damaging bug that allows an unauthorized user to create administrative accounts on a network (CVE-2021-20021) and two others that allow an already-authenticated attacker to read (CVE-2021-20023) and upload (CVE-2021-20022) files on the victim’s remote host. Together they can be used to access and read a victim’s files or emails, plant malware and conduct other post-compromise activities.

SonicWall said the flaws were discovered during “standard collaboration and testing” and there is evidence at least one of those vulnerabilities is being actively exploited by attackers. A report by Mandiant issued on the same day claims that they first disclosed them to SonicWall on March 26. There are patches available now for all three vulnerabilities.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild,’” the company said on April 20. “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade” to patched versions.

According to a report from the Mandiant team at FireEye, which helped identify the vulnerabilities, an unnamed threat actor leveraged these zero-days along with “intimate knowledge” of SonicWall’s application code in March to plant a backdoor on a victim organization’s network, gain access to emails and files and use it as a foothold to move to other parts of the network. The threat intelligence firm found web shells on a fully-patched, internet-connected version of the email security solution that indicated post-exploitation…