Another Malware with Persistence – Schneier on Security

1 year ago AndyC

Another
Malware
with
Persistence

Here’s
a
piece
of
Chinese
malware
that
infects
SonicWall
security
appliances
and
survives
firmware
updates.

Another
Malware
with
Persistence


Here’s
a
piece
of
Chinese
malware
that
infects
SonicWall
security
appliances
and
survives
firmware
updates.

On
Thursday,
security
firm
Mandiant
published
a

report
that
said
threat
actors
with
a
suspected
nexus
to
China
were
engaged
in
a
campaign
to
maintain
long-term
persistence
by
running
malware
on
unpatched
SonicWall
SMA
appliances.
The
campaign
was
notable
for
the
ability
of
the
malware
to
remain
on
the
devices
even
after
its
firmware
received
new
firmware.

“The
attackers
put
significant
effort
into
the
stability
and
persistence
of
their
tooling,”
Mandiant
researchers
Daniel
Lee,
Stephen
Eckels,
and
Ben
Read
wrote.
“This
allows
their
access
to
the
network
to
persist
through
firmware
updates
and
maintain
a
foothold
on
the
network
through
the
SonicWall
Device.”

To
achieve
this
persistence,
the
malware
checks
for
available
firmware
upgrades
every
10
seconds.
When
an
update
becomes
available,
the
malware
copies
the
archived
file
for
backup,
unzips
it,
mounts
it,
and
then
copies
the
entire
package
of
malicious
files
to
it.
The
malware
also
adds
a
backdoor
root
user
to
the
mounted
file.
Then,
the
malware
rezips
the
file
so
it’s
ready
for
installation.

“The
technique
is
not
especially
sophisticated,
but
it
does
show
considerable
effort
on
the
part
of
the
attacker
to
understand
the
appliance
update
cycle,
then
develop
and
test
a
method
for
persistence,”
the
researchers
wrote.

Sidebar
photo
of
Bruce
Schneier
by
Joe
MacInnis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

GitCaught campaign relies on Github and Filezilla to deliver multiple malware

GitCaught campaign relies on Github and Filezilla to deliver multiple malware

1 hour ago AndyC
Two students uncovered a flaw that allows to use laundry machines for free

Two students uncovered a flaw that allows to use laundry machines for free

8 hours ago AndyC

IBM Sells Cybersecurity Group – Schneier on Security

8 hours ago AndyC
Grandoreiro Banking Trojan is back and targets banks worldwide

Grandoreiro Banking Trojan is back and targets banks worldwide

14 hours ago AndyC
Weekly Update 400

Weekly Update 400

20 hours ago AndyC
Healthcare firm WebTPA data breach impacted 2.5M individuals

Healthcare firm WebTPA data breach impacted 2.5M individuals

1 day ago AndyC

You may have missed

<div>Transgrid's Lumea seeks closer ties with cellular network planners</div>

Transgrid’s Lumea seeks closer ties with cellular network planners

1 hour ago AndyC
AFP uses cloud, SASE to upgrade reach and capability

AFP uses cloud, SASE to upgrade reach and capability

1 hour ago AndyC
<div>AEC checks Meta AI's handling of election questions</div>

AEC checks Meta AI’s handling of election questions

1 hour ago AndyC
Request for Comments: Mobile Payments on COTS (MPoC) v1.1

Request for Comments: Mobile Payments on COTS (MPoC) v1.1

1 hour ago AndyC

How to Safely Date Online

1 hour ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.