firewalld

A suspected Chinese hacking campaign has been targeting unpatched SonicWall Secure Mobile Access (SMA) appliances... While it is unclear what vulnerability was used to compromise devices, Mandiant says that the targeted devices were unpatched, making them likely vulnerable to older flaws.

The malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts... The threat actors achieved this by using scripts that offer redundancy and ensure long-term access to breached devices.

For example, there's a script named 'iptabled' that is essentially the same module as firewalld but will be only called by the startup script ('rc.local') if the primary malware process exits, crashes, or can't be launched.

For example, there's a script named 'iptabled' that is essentially the same module as firewalld but will be only called by the startup script ('rc.local') if the primary malware process exits, crashes, or can't be launched.

The main module, named 'firewalld,' executes SQL commands against the appliance's database to steal the hashed credentials of all logged-in users. The stolen credentials are copied on a text file created by the attacker at 'tmp/syslog.db' and are later retrieved to be cracked offline.

Additionally, firewalld launches other malware components, like TinyShell, to establish a reverse shell on the appliance for easy remote access.