Web Scanning Sonicwall for CVE-2021-20016
There was a post initially published in January 2022 showing an exploitable "probable zero-day vulnerabilities"[1] for Sonicwall but looking back in what has been submitted in the past year to ISC, this past week was the first time we have been getting some reports. The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily:
The DShield sensors (2) captured a significant probe for 3 URL from IPs 45.227.255.93 141.98.80.125. The 3 URLs are as follows:
Path Scanned
A review of the data submitted to DShield shows this activity for the first time on the 22 April 2023
/__api__/v1/config/domains [3]
/__api__/v1/logon [4]
Indicator
45.227.255.89
45.227.255.93
141.98.80.125
141.98.80.146
[1] https://es-la.tenable.com/blog/cve-2021-20016-zero-day-vulnerability-in-sonicwall-secure-mobile-access-sma-exploited
[2] https://cow-prod-www-v3.azurewebsites.net/publications/security-advisories/2021-006/pdf
[3] https://isc.sans.edu/weblogs/urlhistory.html?url=L19fYXBpX18vdjEvY29uZmlnL2RvbWFpbnM=
[4] https://isc.sans.edu/weblogs/urlhistory.html?url=L19fYXBpX18vdjEvbG9nb24=
-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
More Scans for SMS Gateways and APIs
Last week, I wrote about scans for Teltonika Networks SMS Gateways. Attackers are always looking for cheap (free) ways to send SMS messages and gain access to not-blocklisted numbers. So, I took a closer look at similar scans we have seen.
There are numerous ways to send SMS messages; using a hardware SMS gateway is probably one of the more fancy ways to do so. Most websites use messaging services. For example, we do see scans for SMS plugins for WordPress:
These scans look for style sheet files (.css) that are part of the respective plugins. It is fair to assume that if the respective style sheet is present, the attacker will attempt to obtain access to the site:
/wp-content/plugins/sms-alert/css/admin.css
/wp-content/plugins/mediaburst-email-to-sms/css/clockwork.css
/wp-content/plugins/verification-sms-targetsms/css/targetvr-style.css
/wp-content/plugins/wp-sms/assets/css/admin-bar.css
/wp-content/plugins/textme-sms-integration/css/textme.css
/wp-content/plugins/sms-alert/css/admin.css
We also got a few odd, maybe broken, scans like:
/api/v1/livechat/sms-incoming/%%target%%/wp-content/themes/twentytwentyone/assets/css/print.css
/api/v1/livechat/sms-incoming/%%target%%/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js
The "%%target%%" part was likely supposed to be replaced with a directory name.
And we have scans for some configuration files that may contain credentials for SMS services like:
/twilio/.config/bin/aws/lib/.env
/twilio-labs/configure-env
/twillio_creds.php
/twilio/.secrets
/sms_config.json
/sms/actuator/env
/sms/env
And many similar URLs.
Scans also look for likely API endpoints used to send SMS messages. I am not sure if they are associated with a particular product or software:
/sms/api/
/api/v1/livechat/sms-incoming/twilio
/sms.py
/Sms_Bomber.exe
SMS_bomber.exe is a script designed to send mass SMS messages [1]. The scans may attempt to identify copies left behind by other attackers.
SMS_bomber also suggests the use of a proxy, and we have some scans that are looking for proxies to find websites used to send SMS:
https://sms-activate.org
Not properly securing SMS gateways or credentials used to connect to SMS services could result in significant costs if an attacker abuses the service. It may also make the phone number unusable, as telecom providers and end users will block it. This may also result in reputational damage, and you will likely have to use a different phone number after it has been abused.
[1] https://github.com/iAditya-Nanda/SMS_Bomber
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments