In the context of: SonicWall is an American company that sells internet hardware for network security and remote access, which makes it a very attractive potential target for cybercriminals trying to carve out a permanent presence in high-profile organizations around the world.
Security researchers at Mandiant have detected a new malware campaign against network devices sold by SonicWall. Analysts say the anonymous actors behind the campaign are most likely Chinese and working for the communist dictatorship, and the group is currently being tracked as UNC4540.
The attack is targeted Secure Mobile Access (SMA) 100 Device, a secure remote access device that companies and organizations use to deploy and manage remote workers. The SMA 100 can provide access control for remote users, VPN connections, and unique profiles for each user. In 2021, the device was targeted by hackers who exploited a zero-day vulnerability.
the threat Discovered by Mandiant It is designed to carry the latest firmware updates that SonicWall provides. To achieve this kind of persistence, the malware remotely checks for new firmware updates every 10 seconds. When an update is available, the malware downloads the archive, decompresses it, installs it, and then copies itself into it.
The malware also adds a root back user to the package, before re-zipping the files again to put them back in place and ready to install. When the update is done, the malware will continue to run in the new firmware environment as well.
The technique isn’t particularly complex, Mandiant said, but it does show the great effort unknown cybercriminals are putting into studying and understanding the hardware update cycle.
“In recent years, Chinese attackers have deployed numerous zero-day exploits and malware to a variety of network devices facing the Internet” to achieve full enterprise penetration capabilities, analysts say. The new UNC4540 pattern represents another link in this long list of sophisticated attacks, and Mandiant expects this trend to continue “in the near term.”
After analyzing the malicious package, Mandiant researchers found a set of Bash scripts (Bash is a Unix shell commonly used as the default login interface for Linux operating systems) and an ELF (Linux) binary file identified as a TinyShell variant.
Researchers haven’t identified the initial vector of infection yet, but SonicWall (which worked with Mandiant to detect the threat) has released New firmware update (10.2.1.7) for SMA 100. The Company also recommends that customers and administrators regularly review device logs to identify any sign of persistent infection.