The malware checked for the presence of a firmware upgrade every ten seconds. The researchers noted that the attackers put significant effort into the stability and persistence of their tooling and showed a detailed understanding of the appliance. In other words, it acts as a backdoor on affected systems. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. The original TinyShell is a python command shell used to control and execute commands through HTTP requests to a web shell. A number of scripts and a TinyShell variant provided the attacker with readily available, high-privileged access. The analysis of the files found on the device showed that harvesting the (hashed) user credentials of all logged in users was the primary purpose of the malware. The Mandiant researchers reportedly worked with the SonicWall Product Security and Incident Response Team (PSIRT) to examine an infected device. It offers a combined single-sign-on (SSO) web portal to authenticate users, so intercepting user credentials would give an attacker that is after sensitive information a huge advantage. The SMA 100 Series is an access control system that lets remote users log in to company resources. The malware was able to steal user credentials and provide shell access. The malware was likely deployed in 2021, and was able to persist on the appliances tenaciously, even surviving firmware upgrades. Researchers at Mandiant have identified a malware campaign targeting SonicWall SMA 100 Series appliances, thought to be of Chinese origin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |