Another Malware with Persistence
Here’s a piece of Chinese malware that infects SonicWall security appliances and survives firmware updates.
On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the ability of the malware to remain on the devices even after its firmware received new firmware.
“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”
To achieve this persistence, the malware checks for available firmware upgrades every 10 seconds. When an update becomes available, the malware copies the archived file for backup, unzips it, mounts it, and then copies the entire package of malicious files to it. The malware also adds a backdoor root user to the mounted file. Then, the malware rezips the file so it’s ready for installation.
“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers wrote.
Clive Robinson • March 10, 2023 7:52 AM
@ ALL,
I wrote a little on this APT this morning,
But a lot more on why I’ve seen the security hole it used to be “persistant”. Because I’ve seen the mistake that was made be made over and over again with “code signing” used for updating.
It’s especially true of “embedded devices” where ubtill recently resources were limited.
Any way you can read more,
https://www.schneier.com/blog/archives/2023/03/friday-squid-blogging-were-almost-at-flying-squid-drones.html/#comment-419207
If there is one big takeaway,
“Understand the difference between authenticating a communications channel and authenticating any transactions that come through the channel.”
In security more generally way to many make the mistake of authenticating channels, not the transactions.