https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
Undetected since 2021 and resists firmware update
Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Mandiant currently tracks this actor as UNC4540…
Mandiant was not able to determine the origin of the infection, however, the malware, or a predecessor of it, was likely deployed in 2021. Mandiant believes that attacker access has persisted through multiple firmware updates…