Chinese UNC4540 Hackers Spying via Sonicwall Devices, Says Mandiant

Chinese hackers suspected of being linked to the government have been found to be targeting Sonicwall gateways and infecting devices with harmful software to steal accounting data. The information comes from cybersecurity experts at Mandiant, who have identified the threat as Unc4540.

While this is not linked to any specific vulnerability, Sonicwall is urging organizations to update to SMA 100 (10.2.1.7 or later version) to protect against further infiltration. A recent update includes additional security measures, including monitoring file integrity and abnormal processes, and updating the OpenSSL library.

Sonicwall has not been able to identify the initial attack vector, but researchers have found that the affected devices contain known operated vulnerabilities. The campaign is consistent with previous tactics by Chinese attackers aimed at exploiting zero-day vulnerabilities in network devices.

The malicious software being used consists of Bash scripts and one binary ELF file, which Mandiant has identified as Tinyshell Backdoor. The software executes the SQL command to steal accounting data and launches the Tinyshell backdoor. Its main goal is to steal the hash accounting data of all users who entered the system.

Mandiant warns that the hackers are checking for new firmware updates every 10 seconds, suggesting that they are trying to understand the device update cycle to develop their conservation method.

Sonicwall has admitted that only a small number of devices have been affected. However, the severity of the attack underscores how institutionalized Chinese hacking groups have become, and how important it is for organizations to remain vigilant and diligent in securing their networks.

/Reports, release notes, official announcements.