Chinese cyberspies have targeted unpatched SonicWall gateways, infecting the devices with credential-stealing malware that persists through firmware upgrades. According to Mandiant, the spyware targets the SonicWall Secure Mobile Access (SMA) 100 Series – a gateway device that provides VPN access to remote users. SonicWall confirmed the malware campaign in a statement, urging organizations to be proactive in updating to the most recent SMA 100 series firmware (10.2.1.7 or later).
The campaign targeted "an extremely limited number of unpatched SMA 100 series appliances from the 2021 timeframe," according to a SonicWall spokesperson. Last week's firmware update included additional hardening such as File Integrity Monitoring (FIM) and anomalous process identification, as well as OpenSSL library updates. The malware uses a bash script named firewalld that executes a SQL command to steal credentials and execute other components, including the TinyShell backdoor. Mandiant tracks the threat actor as UNC4540, and the malware is vulnerable to known exploited vulnerabilities, including CVE-2021-20016, CVE-2021-20028, CVE-2019-7483 and CVE-2019-7481. According to Mandiant's assessment, the attackers have put "a fair amount of resource and effort" into ensuring stability and persistence for the malware. As Mandiant's Daniel Lee, Stephen Eckels and Ben Read observed, "The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well tailored to the system to provide stability and persistence."