A suspected China-linked campaign that maintains long-term persistence by running malware on unpatched SonicWall Secure Mobile Access (SMA) 100 Series appliances has functionality that can steal user credentials, provide shell access, and persist through firmware upgrades.
In a blog post Wednesday, Mandiant said they discovered the campaign in working with SonicWall’s Product Security and Incident Response Team (PSIRT). They track the threat actor as UNC4540.
While Mandiant said they could not determine the origin of the infection, the malware, or a predecessor of it, was likely deployed in 2021. Mandiant believes that the attacker’s access has persisted through multiple firmware updates.
The SonicWall SMA100 series is a popular edge network access control system, which is implemented as either a standalone hardware device, a virtual machine, or a hosted cloud instance. They were widely-deployed during the pandemic as organizations moved to a work-from-home model and migrated to the cloud.
The Mandiant-SonicWall blog also pointed out that this attack was consistent with other Chinese attacks in recent years on internet-facing network appliances (see Mandiant blog from January 19). In recent years, Chinese attackers have deployed multiple zero-days as a way to obtain full enterprise intrusion and the researchers expect this to continue at least for the near term.
Mandiant and SonicWall advise security teams to maintain proper patch management to mitigate the risk of exploitation. Although not a vulnerability patch, SonicWall urges SMA100 Series customers to upgrade to 10.2.1.7 or higher for additional hardening and security controls. A SonicWall blog post from March 1 describes the patch and here’s a link to the patch itself.
Analysis of a compromised device by Mandiant and SonicWall revealed a collection of files that gives attackers a highly-privileged and available access to the appliance. The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence, the researchers reported.