According to Mandiant, Chinese hackers are exploiting unpatched SonicWall gateways and infecting devices with credential-stealing malware that persists after a firmware update.
The spyware targets SonicWall Secure Mobile Access (SMA) 100 Series, a secure access gateway that provides VPN access to remote users.
Although the attack is not tied to a new or specific vulnerability, SonicWall encourages organizations to apply the SMA 100 update (10.2.1.7 or later), which includes additional protection and security measures. According to SonicWall, "an extremely limited number of unpatched SMA 100 series devices as of 2021" are affected.
Last week's update includes additional security measures such as file integrity monitoring (FIM) and anomalous process identification, as well as updates to the OpenSSL library.
SonicWall was unable to determine the initial attack vector. However, the investigation found that the unpatched devices contained the known exploitable vulnerabilities CVE-2021-20016, CVE-2021-20028, CVE-2019-7483 and CVE-2019-7481.
Mandiant is tracking the threat actor as UNC4540. In addition, this campaign is consistent with how Chinese attackers are targeting network devices to exploit zero-day exploits, suggesting the involvement of Chinese government hackers.
According to Mandiant, the campaign uses malware consisting of bash scripts and one binary ELF file, which researchers have identified as a TinyShell backdoor.
The malware uses a "firewalld" bash script that executes an SQL command to steal credentials and execute the TinyShell backdoor. According to experts, the main purpose of the malware is to steal the hashed credentials of all logged in users. In addition, malware remains resilient even if the device fails.
The bash script also checks every 10 seconds for a new firmware update. When a new firmware is available, the bash script copies the backup file, adds the malware, and puts the package back in place, indicating that the cybercriminals are trying to understand the device update cycle and then develop a save method.