Hackers exploit SonicWall email software in a banner week for zero-day flaws

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application," Mandiant said.
email implant, phishing, spearphishing
(Getty Images)

It’s only Wednesday, and it’s already been a banner week for previously unknown exploits in popular security software.

Unidentified hackers have exploited three “zero-day,” or newly discovered, vulnerabilities in email software made by SonicWall to access an unnamed victim organization’s network, according to Mandiant, the incident response unit of security firm FireEye.

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” Mandiant said in a blog on Tuesday evening. Security fixes are available for the flaws, and SonicWall urged customers to apply them.

The news came after Mandiant revealed on Tuesday that suspected Chinese hackers had used bugs in another popular enterprise software made by Pulse Secure to break into government and defense-sector networks. Those breaches followed separate intrusion campaigns allegedly carried out by Russian and Chinese hackers exploiting software made by SolarWinds and Microsoft, respectively.


Silicon Valley-based SonicWall provides internet security products to corporate and government clients alike. The software exploited in this case is meant to guard against ransomware and zero-day threats, according to the firm’s website.

Mandiant analysts aren’t sure who is behind the hacking, but whoever it is seems to be deeply familiar with how the SonicWall software works. The attacker knew where log files generated by the software were located and how to delete them, according to Mandiant. They also appeared to be manually typing commands in a likely effort to avoid setting off security alarms at the organization. Mandiant said it kicked the hackers off the network, so their ultimate objective is a mystery.

Josh Fleischer, principal security analyst at Mandiant, said that “less than five organizations” had been targeted in the activity described in the blog. But more breaches could be out there, he said. “We anticipate multiple organizations are already compromised, with potentially more to follow in the patching dwell time.”

It’s the second big security incident that SonicWall has disclosed this year. The firm said in January that hackers had abused a SonicWall mobile networking product to access its corporate network. It was unclear who was behind that activity. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts