SonicWall devices are attacked by very persistent malware (opens in new tab) capable of surviving through multiple firmware updates, experts claim.
Cybersecurity researchers from Mandiant and SonicWall recently discovered custom malware specifically designed for SonicWall Secure Mobile Access (SMA) devices, most likely designed by a Chinese threat actor named UNC4540.
Its features show a “deep understanding” of the devices it’s built for, and the malware is designed for espionage, the researchers claim, because it’s capable of stealing user passwords and providing shell access.
Establish remote access
“The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the device and is well tuned to the system to provide stability and persistence,” said Mandiant.
The main module can steal hashed credentials from all users logged into the compromised endpoints, copy them into a text file and send them to be decrypted elsewhere. Another module forms an inverted shell for easy remote access. The researchers also found a module that adds a small patch to a legitimate SonicWall binary whose purpose they still couldn’t figure out.
The researchers also couldn’t determine what vulnerability the attackers used to compromise these devices with malware, but they suspect the malware was deployed years ago and has successfully survived multiple firmware updates. They think the first compromise could have been made as early as 2021.
To protect your devices from unknown threats like this, it is best to apply the latest security updates. The latest version of SonicWall for targeted devices is 10.2.1.7, the publication says, adding that the patch includes File Integrity Monitoring (FIM) and Anomalous Process Identification, two features “supposed to detect and stop this threat.”
“In recent years, Chinese attackers have deployed multiple zero-day exploits and malware against a variety of internet-facing network devices as a route to full-scale corporate intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to expand in the near future. will continue in the future term,” Mandiant concluded.
Via: Bleeping Computer (opens in new tab)