Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
On April 20th, 2021, security services firm FireEye released a report on three actively exploited zero-day vulnerabilities impacting SonicWall’s Email Security (ES) product. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023.
At least one incident involving these vulnerabilities was identified in March 2021. Unidentified threat actors exploited the vulnerabilities to gain administrator access and execute code on SonicWall ES devices.
As threat actors are actively exploiting these vulnerabilities in the wild, organizations are strongly recommended to apply the available hotfixes as soon as possible.
What we’re doing about it
What you should do about it
All vulnerabilities listed impact SonicWall Email Security version 10.0.9.x.
CVE-2021-20021 (CVSS: 9.4): Unauthorized administrative account creation vulnerability
CVE-2021-20022 (CVSS: 6.7): Post-authentication arbitrary file upload vulnerability
CVE-2021-20023 (CVSS: 6.7): Post-authentication arbitrary file read vulnerability
Based on the public report, these vulnerabilities were exploited in at least one real-world attack. The zero-day exploits were used by an adversary to create new administrator accounts, identify hashed passwords for existing admin accounts, create a webshell in an arbitrary directory, and perform real-time debugging. In this attack, the BEHINDER webshell was deployed to compromised assets.
It is currently unclear what the adversaries’ primary goals are and how widespread exploitation of these vulnerabilities is. For more details on the known attack, see the full FireEye report.