UNC2682 behind the Zero-day Exploit on SonicWall
UNC2682 behind the Zero-day Exploit on SonicWall
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
UNC2682 is using 3 formerly unknown vulnerabilities of the SonicWall Email services to get authenticated access(CVE-2021-20021), read files (CVE-2021-20022), and modify file(CVE-2021-20023). A Behinder Webshell is planted in the already existing Tomcat Java web server to gain additional information about the Network. These Vulnerabilities can move laterally infecting the whole organization. However, these vulnerabilities can be used in various ways to accomplish targets.
Sonic wall has released patches for all 3 vulnerabilities and applied the following IPS Signatures in all their active subscriptions:
• IPS Signature: 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability)
• IPS Signature: 1067 WEB-ATTACKS Web Application Directory Traversal Attack 7
• IPS Signature: 15509 WEB-ATTACKS Web Application Directory Traversal Attack 7 -c2
Vulnerability Details
Patch Links
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010
References
- https://thehackernews.com/2021/04/3-zero-day-exploits-hit-sonicwall.html
- https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/
- https://www.scmagazine.com/home/email-security/someone-is-using-sonicwalls-email-security-tool-to-hack-customers/
- https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
- https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-patch-3-zero-days-exploited-in-the-wild/