A suspected Chinese hacking campaign has been targeting unpatched SonicWall Secure Mobile Access appliances to install custom malware that establishes long-term persistence for cyber espionage campaigns.
The deployed malware is customized for SonicWall devices and is used to steal user credentials, provide shell access to the attackers, and even persist through firmware upgrades.
The malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts that show a deep understanding of the targeted network devices.
Recent flaws disclosed by SonicWall [1, 2, 3] that impacted SMA devices allowed unauthenticated access to devices, which could then be used in campaigns like this one.
If one is found, the malware injects itself into the upgrade package to survive even after firmware upgrades.
Similar to the SonicWall campaign, the threat actors behind the Fortinet attacks showed intimate knowledge about the devices and how they operated to inject custom malware for persistence and data theft.
