A number of scripts and a TinyShell variant provided the attacker with readily available, high-privileged access. The analysis of the files found on the device showed that harvesting the (hashed) user credentials of all logged in users was the primary purpose of the malware. The Mandiant researchers reportedly worked with the SonicWall Product Security and Incident Response Team (PSIRT) to examine an infected device. It offers a combined single-sign-on (SSO) web portal to authenticate users, so intercepting user credentials would give an attacker that is after sensitive information a huge advantage. The SMA 100 Series is an access control system that lets remote users log in to company resources. The malware was able to steal user credentials and provide shell access. The malware was likely deployed in 2021, and was able to persist on the appliances tenaciously, even surviving firmware upgrades. Researchers at Mandiant have identified a malware campaign targeting SonicWall SMA 100 Series appliances, thought to be of Chinese origin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |