Chinese hackers target unpatched SonicWall SMA Edge Devices

Share post:

According to a recent Mandiant research document, since 2021, a malware campaign has been targeting unpatched SonicWall SMA edge devices, persisting even after firmware updates. The malware campaign is thought to be a Chinese cyber espionage campaign aimed at stealing user credentials for cyber espionage purposes.

The malware is made up of several bash scripts and one ELF binary file, which has been identified as a TinyShell backdoor variant. The main malware process is a file called “firewalld,” which executes the TinyShell backdoor with parameters that allow it to provide the threat actor with a reverse shell. A copy of the “firewalld” file called “iptabled” was also modified to ensure the primary malware’s survival in the event of a crash or termination. A startup script called “rc.local” launches the malware at boot time to allow for extended access.

The malware’s ultimate goal is to execute a SQL command to obtain the hashed credentials of all logged-in users, which the attacker can then use to crack them offline. On an infected device, a bash script called “geoBotnetd” checks every 10 seconds for a firmware upgrade. If a firmware upgrade is discovered, the script will backup the file, unzip it, mount it, and copy over the entire malware package. It also installs a backdoored root user called “acme” on the system.

Mandiant researchers believe the attackers encountered problems while shutting down the instance with the “firebased” script and wrote a small script to fix it. While not particularly sophisticated, the technique used in this attack campaign necessitates a thorough understanding of the firmware upgrade process in order to create and deploy, indicating the attackers’ desire to maintain long-term access.

While the primary vector of infection is unknown, Mandiant researchers believe the malware, or its predecessor was likely deployed in 2021 and that the threat actor likely retained access despite multiple firmware updates. SonicWall recommends that SMA100 customers upgrade to version or higher, which includes hardening enhancements like File Integrity Monitoring (FIM) and anomalous process detection.

The sources for this piece include an article in TechRepublic.



Related articles

Microsoft announces enhanced security feature for OneNote

Microsoft has released further information on the increased security measures it is deploying for OneNote in order to...

Russian hacker group steals Emails of NATO officials and diplomats

Since February 2023, a Russian hacking gang known as TA473 or 'Winter Vivern' has targeted unpatched Zimbra endpoints...

Canadian cybersecurity accelerator counts its accomplishments

A Canadian university-associated business accelerator for helping early-stage cybersecurity companies says its first two years of operation have been more than satisfactory. The Rogers Cybersecure Catalyst Accelerator has had “an incredible impact” on Canadian cybersecurity entrepreneurs and founders, executive director Charles Finlay said this week in the first report on the program’s progress. Despite having

Crackdown on ransomware gangs yet to show an impact: OpenText

In its annual cybersecurity report OpenText also looked at malware, phishing and infec

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways