A possible Chinese attack campaign on compromised unpatched SonicWall SMA edge devices stayed undetected since 2021 and could persist even through firmware updates.
As reported by a new Mandiant research document, a new malware is made of several bash scripts and a single Executable and Linkable Format (ELF) binary file identified as a TinyShell backdoor variant. Tinyshell is a publicly available tool used by several threat actors (Figure A).
Figure A
The main malware process is a file called “firewalld,” which executes the TinyShell backdoor with parameters that allow it to provide a reverse shell to the threat actor. The reverse shell calls a C2 server at a time and day provided by the script. If no IP address is provided when calling the TinyShell binary, it embeds a hardcoded IP address to reach.
A copy of the “firewalld” file called “iptabled” was altered to ensure continuity of the primary malware in case of a crash or termination. The two scripts were set up to activate one another in case the other wasn’tt already running, which created a backup instance of the primary malware process and thereby enhanced its resilience.
The “firewalld” process is launched at boot time by a startup script named “rc.local” intended to facilitate an attacker’s prolonged access.
A file named “ifconfig6” is also used to increase stability. The main “firewalld” process adds a small patch to a legitimate SonicWall binary named “firebased,” which replaces a shutdown string with a call to the “ipconfig6” script. Mandiant researchers suspect that attackers encountered issues when the “firebased” script was shutting down the instance and decided to create a small script to patch it.
Once everything is set, the final goal of the malware is to routinely execute a SQL command to grab the hashed credentials of all logged in users. The attacker could then retrieve those hashes to crack them offline.
Firmware updates modified
A bash script named “geoBotnetd” found on an infected device checks every 10 seconds for a firmware upgrade to appear in /cf/FIRMWARE/NEW/INITRD.GZ. If that’s the case, the script will backup the file, unzip it, mount it, and then copy over the whole package of malware files. It also adds a backdoored root user named “acme” to the system. The malware then rezips it all and puts it back in place.
This technique, although not very sophisticated, shows how motivated the attackers are to keep their access long-term, because a solid knowledge of the firmware upgrade process is necessary to create and deploy such a technique.
Mandiant researchers indicate that this technique is consistent with another attack campaign they have analyzed that supported key Chinese government priorities.
A long running campaign for cyber espionage purposes
While the primary vector of infection stays unknown in this attack campaign, Mandiant researchers indicate that the malware or a predecessor of it was likely deployed in 2021 and that the threat actor probably retained access, even through multiple firmware updates.
Because the sole purpose of the malware is to steal user credentials, it is strongly suspected that the attack campaign follows cyber espionage goals.
Mandiant insists on the fact that developing malware for a managed appliance is no trivial task, as vendors do not generally offer direct access to the operating system or even to the filesystem of such devices. This makes it harder to develop exploits and malware for those devices.
How to protect from this threat
For this particular attack, SonicWall urges SMA100 customers to upgrade to version 10.2.1.7 or higher. The upgrade includes hardening enhancements such as File Integrity Monitoring (FIM) and anomalous process identification.
On a larger scale, protecting edge devices from compromise requires a multi layered approach that includes both physical and software security measures.
In addition, educate employees on cybersecurity best practices, such as identifying phishing emails and avoiding suspicious websites or downloads. While the initial infection vector isn’t known, it’s highly possible that it might have been phishing emails.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
