Suspected Chinese cyber criminals have zeroed in on unpatched SonicWall gateways and are infecting the devices with credential-stealing malware that persists through firmware upgrades, according to Mandiant.
The spyware targets the SonicWall Secure Mobile Access (SMA) 100 Series – a gateway device that provides VPN access to remote users.
The networking vendor confirmed the malware campaign in a statement emailed to The Register:
“Working in partnership with Mandiant, the SonicWall Product Security and Incident Response Team (PSIRT) confirmed a persistent threat actor campaign leveraging malware against unpatched SonicWall Secure Mobile Access (SMA) Series 100 appliances. While not tied to a new or specific vulnerability, SonicWall urges organizations to be proactive in updating to the most recent SMA 100 series firmware (10.2.1.7 or later), which includes additional hardening and security controls.”