Hackers are targeting SonicWall devices with malware that can survive firmware updates

In context: SonicWall is an American company that sells Internet appliances for network security and remote access, making it a potentially very attractive target for cyber-criminals trying to deploy a persistent presence in high-profile organizations around the world.

Security researchers at Mandiant have uncovered a new malicious campaign against network appliances sold by SonicWall. The unknown actors behind the campaign are likely Chinese and working to benefit the Communist dictatorship, the analysts say, and the group is currently tracked as UNC4540.

The attack is targeting the Secure Mobile Access (SMA) 100 device, a secure remote access appliance used by companies and organizations to deploy and manage remote workers. SMA 100 can provide access control to remote users, VPN connections, and unique profiles for each user. In 2021, the appliance was targeted by hackers that exploited a zero-day flaw.

The threat discovered by Mandiant is designed to survive the latest firmware updates provided by SonicWall. To achieve this kind of persistence, the malware remote-checks for new firmware updates every 10 seconds. When an update is available, the malware downloads the archive, unzips and mounts it, and then copies itself to it.

The malware also adds a backdoored root user to the package, before rezipping the files again to put it back in place and ready to be installed. When the update is done, the malware will continue to work in the new firmware environment as well.

Mandiant said the technique is not particularly sophisticated, but it does show the considerable effort put forth by the unknown cyber-criminals to study and understand the appliance update cycle.

"In recent years," the analysts state, "Chinese attackers have deployed multiple zero-day exploits and malware for a variety of Internet-facing network appliances" to achieve full enterprise intrusion capabilities. The new UNC4540 instance is yet another episode in this long list of sophisticated attacks, and Mandiant expects this trend to continue "in the near term."

After analyzing the malicious package, Mandiant researchers found a collection of Bash scripts (Bash being a Unix shell commonly used as a default login interface for Linux operating systems) and a single ELF (Linux) binary file identified as a TinyShell variant.

The researchers haven't identified the initial vector for infection yet, but SonicWall (which worked together with Mandiant to uncover the threat) has released a new firmware update (10.2.1.7) for SMA 100. The company also recommends customers and admins regularly review device logs to identify any sign of an ongoing infection.