Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access.
The analysis of a compromised device revealed the presence of a set of files used by the attacker to gain highly privileged and available access to the appliance. The malicious code is composed of a series of bash scripts and a single ELF binary identified as a TinyShell variant.
The researchers believe that the threat actors have a deep understanding of the appliance.
The malware is well tailored to the system to provide stability and maintain persistence, even in the case of installation of firmware upgrades.
“The primary purpose of the malware appears to be to steal hashed credentials from all logged in users. It does this in firewalld by routinely executing the SQL command select userName,password from Sessions against sqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db.” reads the report published by Mandiant. “The source database /tmp/temp.db is used by the appliance to track session information, including hashed credentials. Once retrieved by the attacker the hashes could be cracked offline.”
At this time it is unclear how the attackers gained initial access to the unpatched SonicWall Secure Mobile Access (SMA) appliance. Mandiant experts believe the threat actors may have exploited a known vulnerability that the targeted appliance.
Mandiant believes that the malware, or a predecessor of it, was likely first installed in 2021 giving attackers persistent access.
Developing malware for a managed appliance is very complex and request a deep knowledge of the target. Mandiant pointed out that vendors typically do not enable direct access to the Operating System or filesystem for users, instead offering administrators a graphical UI or limited Command Line Interface (CLI) with guardrails preventing anyone from accidentally breaking the system. The lack of access, makes it very hard to develop such kind of custom malware.
“First and foremost, maintaining proper patch management is essential for mitigating the risk of vulnerability exploitation. At the time of publishing this blog post, SonicWall urges SMA100 customers to upgrade to 10.2.1.7 or higher, which includes hardening enhancements such as File Integrity Monitoring (FIM) and anomalous process identification.” concludes the report. “A SonicWall blog post describing the patch features is available (New SMA Release Updates OpenSSL Library, Includes Key Security Features) and the patch itself can be found here: Upgrade Path For SMA100 Series.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SonicWall)