Devices from SonicWall, an American cybersecurity company that sells internet appliances directed at content control and network security, were found to be infected by persistent malware.
Aimed at gaining privileged access within the appliance, the malware was found to be able to steal hashed credentials from logged-in users which would later be retrieved to be cracked online.
Originating from a suspected Chinese hacking campaign, the attack involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance, a blog post from Madiant said.
Attackers used an ELF binary, the TinyShell backdoor, and several bash scripts that point to a deep understanding of the targeted network devices.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The malware used on SonicWall devices was found to enter the devices through a bash script named firewalld, which is responsible for executing an SQL command to accomplish credential stealing and execution of other components, the post said.
Attackers also made efforts to ensure the malware would persist across firmware updates by running a startup script at boot time along with a secondary script that allowed the malware to persist in case of exit or crash.
While it is unclear what vulnerability was used to compromise devices, the malware or a predecessor of it was likely deployed in 2021 and is believed to have persisted through multiple firmware updates.
“In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of internet-facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term”, the company said in the post.
