A suspected Chinese linked campaign that maintains long-term persistence by running malware on unpatched SonicWall SMA 100 Series appliances has functionality that can steal user credentials, provide shell access, and persist through firmware upgrades.
The SonicWall SMA100 series is a popular edge network access control system, which is either a standalone hardware device, a virtual machine, or a hosted cloud instance. They were widely-deployed during the pandemic as organizations moved to a work-from-home model and migrated to the cloud.
Researchers from Mandiant said that they discovered the campaign in working with SonicWall’s Product Security and Incident Response Team (PSIRT). They track the threat actor as UNC4540.
The origin of the infection can’t be determined, the malware or a predecessor of it was likely deployed in 2021. There is a strong belief that the attacker’s access has persisted through multiple firmware updates.
This is attributed to China since the attack was consistent with other attacks in recent years on internet-facing network appliances. In recent years, Chinese attackers have deployed multiple zero-days to obtain full enterprise intrusion and the researchers expect this to continue at least for the near term.
SonicWall urges SMA100 Series customers to upgrade to 10.2.1.7 or higher for additional hardening and security controls.Security team must follow the advisory and fix it as soon as possible to remain safe.
Analysis of a compromised device revealed a collection of files that gives attackers a highly-privileged and available access to the appliance. The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence.
Indicators of Compromise