Attacks on SonicWall appliances linked to Chinese campaign: Mandiant

A persistent malware targeting unpatched SonicWall Secure Mobile Access (SMA) appliances has been linked to a Chinese campaign dating back to 2021, according to a Mandiant research done in partnership with SonicWall’s in-house research team.

The responsible malware, dubbed UNC4540, has been found to be stealing user credentials, providing shell access, and persisting through firmware upgrades.

“This is not a new vulnerability, so a patch was not published,” a Mandiant spokesperson said. “The findings are based on the analysis of an extremely limited number of unpatched SMA 100 series appliances from the 2021 timeframe.”

SonicWall did, however, issue SMA 100 firmware 10.2.1.17 update last week as a maintenance release, the spokesperson added.

The SMA series is a line of on-premises security appliances developed and manufactured by SonicWall that are designed to provide remote access to corporate networks, cloud applications, and other resources for employees, contractors, and partners.

Attacks are consistent with earlier Chinese hacks

Mandiant has identified a pattern of Chinese attackers utilizing numerous zero-day exploits and malware to gain full access to enterprise systems through various internet-facing network appliances, and the SonicWall SMA appliances attack as part of this trend.

The techniques used were found to be consistent with multiple security incidents in April 2021 involving compromises of Pulse Secure VPN appliances through authentication bypass.

Earlier in March 2021, Mandiant Managed Defense had also discovered three zero-day vulnerabilities being actively exploited in SonicWall’s Email Security product indicating a persistent malicious presence in SonicWall’s system.

Usually, vendors do not allow users direct access to the operating system or the file system. Instead, they provide administrators with a graphical user interface or a restricted Command Line Interface that prevents accidental damage to the system. 

Due to this restricted access, Chinese attackers are putting in significant resources and effort to create exploits and malware for managed devices, according to a Mandiant blog post.

Malware module primarily steals credentials

The main malware entry point is a bash script named “firewalld”, which essentially executes an SQL command to accomplish credential stealing along with the execution of few other components. firewalld is used to initiate TinyShell backdoor, a remote access hack through PHP script, which then allows the attackers to run arbitrary SQL commands and perform various malicious activities.

A TinyShell backdoor is typically installed by exploiting vulnerabilities in web applications or by using brute force attacks to guess weak passwords for login pages. Once the attacker gains access to the web server, they can upload the TinyShell script and execute it to gain remote access.

The primary purpose of the malware was found to be stealing hashed credentials from all logged in users by executing the SQL command, “select userName, password from Sessions.” This command targets the session information with hashed credentials in the source database maintained by the unpatched appliance.

Module designed for persistence and stability

The attackers have primarily focused on the stability and persistence of their tooling, allowing access to the network to persist through firmware updates and maintaining network foothold through the SonicWall device.

Used as the entry point and persistence in this attack, firewalld is a startup script run at boot time and is designed to manage the firewall rules and provides a user-friendly interface for configuring and managing network traffic. Additionally, a modified firewalld copy “iptabled”, was found in the affected device to provide persistence for the main malware process in case of exit or crash.

“The two scripts were configured to call the other if it was not running, providing a backup instance of the main malware process and therefore an additional layer of resilience,” said the blog post.

The attackers also have a process in place for their access to persist through firmware updates. They use another bash script geoBotnetd that frequently checks for firmware updates, to unzip the update and load the malware package upon every detection.

“These firmware manipulations only occurred post-exploitation on an already infected device and were not seen used in a supply chain attack,” added the post.

Defense includes timely patching and management

SonicWall has indicated that maintaining proper patch management is paramount for mitigating the risk of vulnerability exploitation. It is advising customers who use SMA100 to update their software to version 10.2.1.7 or later. This updated version includes improvements to strengthen the software, such as the addition of File Integrity Monitoring (FIM) and identification of unusual processes.

Given that inspecting affected devices can be challenging, analyzing accessible logs for indirect indicators of breach, such as unusual logins or internal network activity, may present some possibilities for detection, recommended the blog post.