A new and concerning hacking campaign has been observed that is specifically targeting unpatched SonicWall Secure Mobile Access (SMA) 100 appliances. The campaign has been linked to China and has been seen to drop malware and establish long-term persistence. This is a serious problem because "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades," according to cybersecurity company Mandiant. Mandiant is a Google-owned incident response and threat intelligence firm that is currently tracking the activity under its UNC4540 moniker.
The malware itself is a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor. It is engineered to grant the attacker privileged access to SonicWall devices and has been seen stealing cryptographically hashed credentials from all logged-in users as well as providing shell access to the compromised device. The overall objective behind the custom toolset appears to be credential theft.
Mandiant has called out the attacker's in-depth understanding of the device software as well as their ability to develop tailored malware that can achieve persistence across firmware updates and maintain a foothold on the network. This is particularly concerning because the exact initial intrusion vector used in the attack is unknown. It is suspected that the malware was likely deployed on the devices, in some instances as early as 2021, by taking advantage of known security flaws.This is a serious problem that needs to be addressed immediately. If you have a SonicWall Secure Mobile Access (SMA) 100 appliance, make sure that it is patched and up-to-date. Keep an eye out for any suspicious activity and report it immediately.