China-linked Hackers Abuse SonicWall SMA Devices

How the attack unfurls

• The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell backdoor.
• The main module firewalld executes SQL commands against the appliance's database to siphon cryptographically hashed credentials from all logged-in users. 
• It copies the stolen credentials to the attacker-created text file and later retrieves them by cracking hashes offline.
• The malware then executes TinyShell to establish a reverse shell on the compromised device for easy remote access.
• Finally, it adds a small patch to the legitimate SonicWall binary firebased for the malware's stability when the device is shut down.

Attaining persistence

• The malware contains a second copy of firewalld named iptabled. Both scripts are configured to provide backup to each other and ensure stability and persistence with long-term attacker access. 
• The bash script geoBotnetd checks for new firmware updates every 10 seconds, if one is found, it unzips the package, copies the malware into the upgrade package, and puts the zip back in the original place to maintain access and survive firmware upgrades.
• Additionally, it adds a backdoor user named acme on the upgrade file to escalate and maintain persistent access on an already compromised web application.

Patch soon