The technique used in the attack on SonicWall devices are consistent with earlier attacks from a Chinese campaign. Credit: Koszubarev / Getty Images A persistent malware targeting unpatched SonicWall Secure Mobile Access (SMA) appliances has been linked to a Chinese campaign dating back to 2021, according to a Mandiant research done in partnership with SonicWall’s in-house research team.The responsible malware, dubbed UNC4540, has been found to be stealing user credentials, providing shell access, and persisting through firmware upgrades.“This is not a new vulnerability, so a patch was not published,” a Mandiant spokesperson said. “The findings are based on the analysis of an extremely limited number of unpatched SMA 100 series appliances from the 2021 timeframe.”SonicWall did, however, issue SMA 100 firmware 10.2.1.17 update last week as a maintenance release, the spokesperson added. The SMA series is a line of on-premises security appliances developed and manufactured by SonicWall that are designed to provide remote access to corporate networks, cloud applications, and other resources for employees, contractors, and partners.Attacks are consistent with earlier Chinese hacks Mandiant has identified a pattern of Chinese attackers utilizing numerous zero-day exploits and malware to gain full access to enterprise systems through various internet-facing network appliances, and the SonicWall SMA appliances attack as part of this trend. The techniques used were found to be consistent with multiple security incidents in April 2021 involving compromises of Pulse Secure VPN appliances through authentication bypass.Earlier in March 2021, Mandiant Managed Defense had also discovered three zero-day vulnerabilities being actively exploited in SonicWall’s Email Security product indicating a persistent malicious presence in SonicWall’s system.Usually, vendors do not allow users direct access to the operating system or the file system. Instead, they provide administrators with a graphical user interface or a restricted Command Line Interface that prevents accidental damage to the system. Due to this restricted access, Chinese attackers are putting in significant resources and effort to create exploits and malware for managed devices, according to a Mandiant blog post.Malware module primarily steals credentials The main malware entry point is a bash script named “firewalld”, which essentially executes an SQL command to accomplish credential stealing along with the execution of few other components. firewalld is used to initiate TinyShell backdoor, a remote access hack through PHP script, which then allows the attackers to run arbitrary SQL commands and perform various malicious activities.A TinyShell backdoor is typically installed by exploiting vulnerabilities in web applications or by using brute force attacks to guess weak passwords for login pages. Once the attacker gains access to the web server, they can upload the TinyShell script and execute it to gain remote access. The primary purpose of the malware was found to be stealing hashed credentials from all logged in users by executing the SQL command, “select userName, password from Sessions.” This command targets the session information with hashed credentials in the source database maintained by the unpatched appliance.Module designed for persistence and stabilityThe attackers have primarily focused on the stability and persistence of their tooling, allowing access to the network to persist through firmware updates and maintaining network foothold through the SonicWall device.Used as the entry point and persistence in this attack, firewalld is a startup script run at boot time and is designed to manage the firewall rules and provides a user-friendly interface for configuring and managing network traffic. Additionally, a modified firewalld copy “iptabled”, was found in the affected device to provide persistence for the main malware process in case of exit or crash.“The two scripts were configured to call the other if it was not running, providing a backup instance of the main malware process and therefore an additional layer of resilience,” said the blog post. The attackers also have a process in place for their access to persist through firmware updates. They use another bash script geoBotnetd that frequently checks for firmware updates, to unzip the update and load the malware package upon every detection.“These firmware manipulations only occurred post-exploitation on an already infected device and were not seen used in a supply chain attack,” added the post.Defense includes timely patching and managementSonicWall has indicated that maintaining proper patch management is paramount for mitigating the risk of vulnerability exploitation. It is advising customers who use SMA100 to update their software to version 10.2.1.7 or later. This updated version includes improvements to strengthen the software, such as the addition of File Integrity Monitoring (FIM) and identification of unusual processes.Given that inspecting affected devices can be challenging, analyzing accessible logs for indirect indicators of breach, such as unusual logins or internal network activity, may present some possibilities for detection, recommended the blog post. Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry Technology Industry Technology Industry news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe