Security researchers say that threat actors are using malware to infect a popular SonicWall security appliance. Moreover, the malware remains in the wild because it has been able to evade security firmware updates.
The malware is targeting the SonicWall Secure Mobile Access 100 (SMA 100), which is a remote access appliance that organizations can use to manage remote employees securely. It provides access management controls including VPNs, profiles, and more.
Because it attaches to a business network, SMA 100 makes for an obvious target for threat actors. In fact, there have been several attacks on the device over the years. The latest is proving persistent because security updates are not removing it.
According to security research firm Mandiant, the attack seems to come from a group with suspected links to the Chinese government. The goal of the campaign could be to create a long-term presence on SonicWall SMA appliances.
“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read explain. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”
To become persistent on the device software, the malware is frequently checking for firmware updates. In fact, it checks every 10 seconds and can evade updates when they happen. To do this, the malware copies the archived file for the backup, opens it, enters it, and then copies the whole malicious file load onto it.
Furthermore, it will also create a backdoor root to the new mounted file that allows it to unzip and install once the firmware update is added. While it sounds like a new dawn of attack, Mandiant says there is nothing new happening.
“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers add.
“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term,” Mandiant researchers say.
As for why the attackers are targeting SMA 100 appliances, it seems the goal is to steal cryptographically hashed passwords.
“Analysis of a compromised device revealed a collection of files that give the attacker a highly privileged and available access to the appliance. The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well-tailored to the system to provide stability and persistence.”
Tip of the day: If you need to Create, Delete or Resize Partitions, Windows has everything you thanks to the built-in Disk Management-tool.