New attacks are similar to those that other China-backed actors have carried out in recent years as part of cyber espionage and data theft campaigns against US companies.
A likely China-based threat actor is targeting unpatched SonicWall Secure Mobile Access 100 Series (SMA100) devices with highly persistent malware for stealing user credentials and providing the adversary with remote secure shell access to compromised systems.
Researchers from Mandiant who spotted the malicious campaign recently have attributed it to a threat actor they are currently tracking as UNC4540. In an advisory this week the security vendor said it has not been able to determine the vector that the adversary is using to gain initial access on unpatched SonicWall devices. While Mandiant’s advisory refers to the malware affecting unpatched SonicWall devices, it does not say what vulnerabilities these devices might be unpatched against. Here’s Mandiant’s advisory.
What makes the attacks dangerous
There are a couple of aspects about the malware that are notable. One of them its ability to persist on a compromised system through reboots and firmware updates. The other is its overall behavior, which according to Mandiant, suggests a detailed understanding of how SonicWall appliances work.
The malware’s persistence mechanisms include the use of redundant scripts for the main malware process.
Mandiant analysts found each of the two scripts configured in such a manner as to call the other if it is not running. The backup instance of the main malware process basically ensures resilience and persistence that extends beyond an unexpected system exit or crash Mandiant said. In addition, the attackers have also implemented mechanisms for backdooring firmware update files and modifying appliance binaries to ensure their malware can persist through a firmware update. The firmware modifications that Mandiant observed happened post-exploitation and not via a supply chain attack.
How to protect against the threat
SonicWall wants customers of SMA100 to upgrade to version 10.2.1.7 or higher. The company released the update on March 7, 2023, touting several security enhancements for detecting, containing, eradicating and recovering from potential threats and attacks. “Reviewing available logs for secondary signs of compromise such as abnormal logins or internal traffic, may offer some opportunities for detection,” Mandiant said. However, updating the 10.2.1.7 is the best way to prevent compromise, it noted.
Here’s SonicWall’s upgrade path for SMA100 Series and here’s a link to a blog that explains the new security features in 10.2.1.7
Why SonicWall SMA100 customers need to patch
The attacks matter because they fit into a broader pattern of Chinese adversaries seeking to gain and maintain persistent access on the networks of US companies so they can conduct cyber espionage, IP theft and a variety of other malicious activities. Many of these campaigns have targeted network routers firewalls, IPS and IDS appliances because of the often-privileged access these devices offer on a target network. By stealing access credentials via these devices attackers can execute malicious actions on a compromised network in a virtually undetectable fashion.
Security vendors that have tracked these campaigns have described them as likely state-backed and focused heavily on organizations in the US government and defense sectors.
Mandiant described the persistence mechanisms in the malware targeting SonicWall SMA100 devices as consistent with those that Chinese APT groups UNC2630 and UNC2717 employed in a 2021 campaign to infiltrate Pulse Secure VPN devices.