Chinese-linked hackers have been suspected of targeting unpatched SonicWall SMA devices with malware. This malware can reveal a collection of highly privileged information and grant access to Chinese hackers.

SonicWall is a cybersecurity company based in the United States that sells a variety of Internet appliances aimed primarily at content control and network security.

In conjunction with the Capture Advanced Threat Protection (ATP) sandbox service, SonicWall firewalls have received the highest level of firewall, anti-malware, and advanced threat defense certifications from the Institute of Chartered Secretaries and Administrators (ICSA) Labs.

You can imagine the surprise when news broke that one of the devices, the Secure Mobile Access (SMA) of such a highly secure cybersecurity firm, had been compromised by a group of Chinese hackers using a certain malware.

Although the device was unpatched, it was weak and very susceptible to allowing attackers to leverage a known security bug by running malicious code.

Mandiant, a threat security and cybersecurity company, reported that analysis of a compromised device revealed a group of files that give the attacker—in this case, the Chinese—highly privileged and accessible access to the SonicWall devices.

A single ELF binary identified as a TinyShell variant and a collection of bash scripts makes up the malware. The malicious bash scripts’ combined behavior demonstrates a thorough understanding of the appliance and is well-tailored to the system to provide stability and persistence.

Why hackers might want the SonicWall SMA device

The overview of the Secure Mobile Access 100 series published by SonicWall on their site is high, and the services the company agreed to provide through the SMA device could be why hackers rushed the device.

I’ll let you read a direct quote from the overview published.

“With multiple layers of security through policy-enforced access control to applications after establishing user and device identity and trust, a SonicWall SMA 100 Series means users can work from anywhere with security everywhere.”

The malware used in the Chinese hacking appears to have been created to steal contact information from all currently logged-in users. Additionally, it gives the compromised device shell access.

Mandiant also criticized the attacker’s in-depth knowledge of the software of the target device and its capacity to create malware specifically designed to withstand firmware updates and keep a foothold on the network.

Although the precise initial attack intrusion vector is unknown, it is believed that the malware was probably installed on the devices by exploiting known security flaws, in some cases as early as 2021.

What SonicWall can do to get back the SMA device from the Chinese hackers

The company is a big enough company. We assume they have a team of engineers figuring out how to get these hackers out of their system. It might be difficult as the device was unpatched upon launching. Here’s what SonicWall can do.

1. Avoid Launching an Unpatched Device: With the promises indicated by SonicWall about the SMA device, uploading it unpatched was a very wrong move to make. Uploading an unmatched device meant leaving it vulnerable to hackers. In this case, these Chinese hackers saw holes in the system and did not hesitate. They saw an opportunity and seized it quickly. Now, SonicWall’s client base is at risk.
2. Advise their Clients to Logout: Since hackers have threatened the device and its network, SonicWall should find a secure means to communicate with its clients and urge them to log out, stay safe, and be mindful of the information shared on the device or around it.

This is not the first time SonicWall has received threats from hackers. The company states this in the SonicWall 2023 cyber threat report.