A suspected China-linked hacking campaign has been observed targeting unpatched SonicWall Secure Mobile Access (SMA) 100 devices to release malware and establish long-term persistence.
“Malware has the functionality to steal user credentials, provide shell access and persist through firmware upgrades,” cybersecurity company Mandiant said in a technical report published this week.
The Google-owned incident response and threat intelligence firm tracks the activity under its uncategorized name UNC4540.
The malware—a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor—is designed to give the attacker privileged access to SonicWall devices.
The overall goal behind the custom toolkit appears to be credential theft, with the malware allowing the adversary to siphon cryptographically hashed credentials from any logged-in user. It further provides shell access to the compromised device.
Mandiant also touted the attackers’ in-depth understanding of device software as well as their ability to develop custom malware that can achieve persistence across firmware updates and maintain a foothold on the network.
The exact initial intrusion vector used in the attack is unknown, and it is suspected that the malware was likely deployed on the devices, in some cases as early as 2021, by exploiting known security flaws.
Along with the disclosure, SonicWall has released updates (version 10.2.1.7) that bring new security improvements such as File Integrity Monitoring (FIM) and abnormal process identification.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
The development comes nearly two months after another China-nexus threat actor was found to be exploiting a now-updated vulnerability in Fortinet FortiOS SSL-VPN as a zero-day attack targeting a European government and a managed service provider (MSP) located in Africa.
“In recent years, Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network devices as a route to full enterprise penetration,” Mandiant said.
