Hello and welcome to the Friday, March 10th, 2020, edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Well, I think it's the third time this week, maybe the second time and not sure that I'll be talking about an attack that's more sophisticated

and affecting parameter security devices. This time it's Sonic Wall's turn. In particular,

the Sonic Wall Secure Mobile Access Appliances, and it is targeted by what Mandian attributes to a Chinese actor.

So these Sonic Wall appliances do run based on Linux.

The malware is exploiting well-known and patched vulnerability, but if you didn't apply

the patch, well, then it'll take over your system.

It comes to a former sort of simple bash scripts initially just to get sort of the infection started.

Also, uses very common for Unix process names that sort of fit in with what you may expect on a Linux device like Firewall D or

HTTPSD or IP tables. These are some of the names it's using. What I find particular

interesting is that it's specifically built to survive a firmware upgrade.

On these Sonic Wall devices, if you upgrade the firmware, there's first a file being

uploaded to the device, and it's placed the specific directory on a specific file name.

It's a SIP file that's then, of of course being expanded into the new firmware. Well,

the trick here that this particular bot place is that it keeps monitoring the location where

the new firmware image would be loaded before it's being installed. And then it unsips it and

adds an backdoor root account.

Well, it's actually using Acme as a username, but the UID and GID of Zero.

So with that, if the new firmware is installed, the bot will no longer be present on the system,

but this backdoor account can then be used to reinfect the system. Mannion just now published details about this

particular attack, but apparently at least some of the features of this attack go back to

2021.

...