According to Mandiant, Chinese hackers are attacking vulnerable SonicWall Secure Mobile Access (SMA) devices and infecting them with credential-stealing malware that can survive even a firmware update.
Mandiant researchers and the SonicWall PSIRT team believe that the Chinese hack group UNC4540 is behind these attacks.
Let me remind you that we also wrote that Chinese Hackers Use Manjusaka Instead of Cobalt Strike, and also that New Chinese Malware Alchimist Attacks Windows and Linux.
Let me remind you that the media also reported that Chinese hackers also took part in attacks on SolarWinds clients.
The malware used by the attackers consists of an ELF binary, a TinyShell backdoor and several bash scripts, which, according to experts, demonstrates a deep understanding of the target devices by hackers.
The main module of the malware, firewalld, executes SQL commands against the device database, stealing the hashed credentials of all logged-in users.
This data is then copied into a text file created in tmp/syslog.db and passed on to malware operators for subsequent offline cracking.
In addition, firewalld runs other malicious components, including TinyShell, to install a reverse shell on the device to facilitate remote access.
The main malicious module also adds a small patch to the legitimate firebased binary, but the researchers were unable to determine the exact purpose of these actions. Analysts suggest that this modification contributes to a more stable operation of the malware when the shutdown command is entered.
Although it is not clear which vulnerability was used by attackers to compromise devices, experts write that the targeted devices did not receive patches, that is, they were vulnerable even to old problems. For example, for known exploitable bugs, including CVE-2021-20016, CVE-2021-20028, CVE-2019-7483 and CVE-2019-7481.
The report highlights that the malware could have been installed on SonicWall devices as early as 2021 and “survived” during all subsequent firmware updates.
The attackers achieved this by using scripts that provide redundancy and long-term access to compromised devices.
For example, experts note the iptabled script, which is essentially the same module as firewalld, but is called by the startup script (rc.local) only if the main malicious process terminates, fails, or is unable to start.
In addition, the attackers implemented a process in which a bash script (geoBotnetd) checks for new firmware updates in /cf/FIRMWARE/NEW/INITRD.GZ every 10 seconds. If an update is found, the malware is embedded in the update package to keep it present on the system even after the update. This script also adds a backdoor user named acme to the update file.
Experts remind system administrators to install the latest updates in a timely manner: the recommended version at the moment is 10.2.1.7 and higher.