The SonicWall SMA 100 series appliances have been the target of a suspected Chinese-affiliated threat group since a couple of years ago. Based on reports, the Chinese-related threat group, UNC4540, deployed malware and established a long-term persistence on the targeted appliances to steal data.
Researchers have yet to discover the initial attack vector of the threat actors. The malware is suspected to might have come from the outdated SonicWall SMA devices by exploiting known security vulnerabilities.
In addition, the malware contained a series of bash scripts and a single ELF binary, TinyShell backdoor. The primary module firewall runs SQL commands against the appliance’s database to collect cryptographically hashed user credentials.
The cyberattack campaign duplicates the stolen credentials to the attacker-developed text file and recovers them by cracking hashes offline. The malware then operates TinyShell to set a reverse shell on the infected device for more straightforward remote access.
The threat campaign adds a minor update to the SonicWall binary to stabilise the malware even if the infected device shuts down or reboots.
The attackers could achieve persistence in the SonicWall SMA through firmware updates.
According to investigations, UNC4540 obtains persistence in the SonicWall SMA through multiple firmware updates and establishes a foothold on the targeted network.
The malware also includes a second copy of iptables. The malware operators configure both scripts to back up each other and ensure stability and persistence with prolonged attacker access.
Analysis suggests that other bash script reviews the target if it has new firmware updates every 10 seconds. Once it identifies an update, it will unzip a package, duplicate the malware into an upgrade package, and put the zip back in the original place to maintain access.
Finally, the malware adds a backdoor user to the upgrade file to increase and maintain continued access to an infected web app.
Fortunately, the SonicWall security team has released an update for the SMA100 that applies new security upgrades like anomalous process identification and File Integrity Monitoring. Organisations should upgrade their appliances to version 10[.]2[.]1[.]7 or higher to mitigate the chances of getting infected by the threat against SonicWall.
