SonicWall SMA appliance infected by a custom malware allegedly developed by Chinese hackers

Alleged
China-linked
threat
actors
infected
unpatched
SonicWall
Secure
Mobile
Access
(SMA)
appliances
with
a
custom
backdoor.

Mandiant
researchers
reported
that
alleged
China-linked
threat
actors,
tracked
as
UNC4540,
deployed
custom
malware
on
a
SonicWall
SMA
appliance. The
malware
allows
attackers
to
steal
user
credentials,
achieve
persistence
through
firmware
upgrades,
and
provides
shell
access.

The
analysis
of
a
compromised
device
revealed
the
presence
of
a
set
of
files
used
by
the
attacker
to
gain
highly
privileged
and
available
access
to
the
appliance.
The
malicious
code
is
composed
of
a
series
of
bash
scripts
and
a
single
ELF
binary
identified
as
a
TinyShell
variant.

The
researchers
believe
that
the
threat
actors
have
a
deep
understanding
of
the
appliance.

The
malware
is
well
tailored
to
the
system
to
provide
stability
and
maintain
persistence,
even
in
the
case
of
installation
of
firmware
upgrades.

“The
primary
purpose
of
the
malware
appears
to
be
to
steal
hashed
credentials
from
all
logged
in
users.
It
does
this
in
firewalld
by
routinely
executing
the
SQL
command
select
userName,password
from
Sessions
against
sqlite3
database
/tmp/temp.db
and
copying
them
out
to
the
attacker
created
text
file
/tmp/syslog.db.”
reads
the


report
published
by
Mandiant.
“The
source
database
/tmp/temp.db
is
used
by
the
appliance
to
track
session
information,
including
hashed
credentials.
Once
retrieved
by
the
attacker
the
hashes
could
be
cracked
offline.”

At
this
time
it
is
unclear
how
the
attackers
gained
initial
access
to
the
unpatched
SonicWall
Secure
Mobile
Access
(SMA)
appliance.
Mandiant
experts
believe
the
threat
actors
may
have
exploited
a
known
vulnerability
that
the
targeted
appliance.

Mandiant
believes
that
the
malware,
or
a
predecessor
of
it,
was
likely
first
installed
in
2021
giving
attackers
persistent
access.

Developing
malware
for
a
managed
appliance
is
very
complex
and
request
a
deep
knowledge
of
the
target.
Mandiant
pointed
out
that
vendors
typically
do
not
enable
direct
access
to
the
Operating
System
or
filesystem
for
users,
instead
offering
administrators
a
graphical
UI
or
limited
Command
Line
Interface
(CLI)
with
guardrails
preventing
anyone
from
accidentally
breaking
the
system.
The
lack
of
access,
makes
it
very
hard
to
develop
such
kind
of
custom
malware.

“First
and
foremost,
maintaining
proper
patch
management
is
essential
for
mitigating
the
risk
of
vulnerability
exploitation.
At
the
time
of
publishing
this
blog
post,
SonicWall
urges
SMA100
customers
to
upgrade
to
10.2.1.7
or
higher,
which
includes
hardening
enhancements
such
as
File
Integrity
Monitoring
(FIM)
and
anomalous
process
identification.”
concludes
the
report.
“A
SonicWall
blog
post
describing
the
patch
features
is
available
(New
SMA
Release
Updates
OpenSSL
Library,
Includes
Key
Security
Features)
and
the
patch
itself
can
be
found
here: Upgrade
Path
For
SMA100
Series.”

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
SonicWall)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts