According to a recent report from cybersecurity firm Mandiant, Chinese cybercriminals are targeting unpatched SonicWall gateways with credential-stealing malware that persists through firmware upgrades.

The spyware is targeting the SonicWall Secure Mobile Access 100 Series, which provides VPN access to remote users. The malware uses a bash script called firewalld that executes an SQL command to steal credentials and run other components, including the TinyShell backdoor.

Mandiant is tracking the threat actor as UNC4540 and believes a *Beijing-backed *crew is behind the effort. The campaign is consistent with the pattern of Chinese threat actors targeting network devices for zero-day exploits.

SonicWall has released a firmware update to address this threat.

Indicator of Compromise

HASH
e4117b17e3d14fe64f45750be71dbaa6
2d57bcb8351cf2b57c4fd2d1bb8f862e
559b9ae2a578e1258e80c45a5794c071
8dbf1effa7bc94fc0b9b4ce83dfce2e6
619769d3d40a3c28ec83832ca521f521
fa1bf2e427b2defffd573854c35d4919