- Jul 27, 2015
On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the ability of the malware to remain on the devices even after its firmware received new firmware.
“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.” To achieve this persistence, the malware checks for available firmware updates every 10 seconds. When an update becomes available, the malware copies the archived file for backup, unzips it, mounts it, and then copies the entire package of malicious files to it. The malware also adds a backdoor root user to the mounted file. Then, the malware rezips the file so it's ready for installation.
“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers wrote. The persistence techniques are consistent with an attack campaign in 2021 that used 16 malware families to infect Pulse Secure devices. Mandiant attributed the attacks to multiple threat groups, including those tracked as UNC2630, UNC2717, which the company said support “key Chinese government priorities.” Mandiant attributed the ongoing attacks against SonicWall SMA 100 customers to a group tracked as UNC4540.