According to a recent report from cybersecurity firm Mandiant, Chinese cybercriminals are targeting unpatched SonicWall gateways with credential-stealing malware that persists through firmware upgrades.
The spyware is targeting the SonicWall Secure Mobile Access 100 Series, which provides VPN access to remote users. The malware uses a bash script called
firewalld that executes an SQL command to steal credentials and run other components, including the TinyShell backdoor.
Mandiant is tracking the threat actor as UNC4540 and believes a *Beijing-backed *crew is behind the effort. The campaign is consistent with the pattern of Chinese threat actors targeting network devices for zero-day exploits.
SonicWall has released a firmware update to address this threat.
Indicator of Compromise