A suspected China-related hacking campaign has been observed targeting unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to drop malware and establish long-term persistence.
Cybersecurity firm Mandiant said in a technical report published this week, “The malware has the ability to steal user credentials, provide shell access, and persist through firmware upgrades.
Google-owned incident response and threat intelligence firm tracks activity under an unclassified name UNC4540.
This malware (a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor) is designed to grant attackers privileged access to SonicWall devices.
The overall purpose behind the custom toolset appears to be credential theft. Malware allows adversaries to siphon cryptographically hashed credentials from all logged-in users. Additionally, it provides shell access to the compromised device.
Mandiant also noted the attackers’ deep understanding of device software and their ability to develop customized malware that can achieve persistence between firmware updates and maintain a foothold on the network. .
The exact initial intrusion vector used in the attack is unknown, and it is likely that the malware was deployed to devices, possibly in 2021, using known security flaws. there is.
Concurrent with this disclosure, SonicWall released an update (version 10.2.1.7). This update includes new security enhancements such as File Integrity Monitoring (FIM) and Abnormal Process Identification.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This development follows another China-related threat actor as a zero-day attack targeting European government agencies and Managed Service Providers (MSPs) located in Africa, where Fortinet FortiOS SSL-VPN is now being patched. It came about two months after the vulnerability was discovered to be exploited. .
“In recent years, Chinese attackers have deployed multiple zero-day exploits and malware against various Internet-facing network appliances as an entry point across enterprises,” said Mandiant.
