Hackers pursue ongoing attack campaign focusing on outdated SonicWall SMA 100 devices at their end of life
In a recent development, a financially motivated threat actor known as UNC6148 has been targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances with a new malware called Overstep. This backdoor acts as a persistent user-mode rootkit, designed to maintain access, steal credentials, and conceal its presence [1][2][4].
The campaign, which has been active since at least October 2024, is notable for its ability to affect devices even after patches have been applied, and its use of sophisticated anti-forensic techniques, such as selectively removing log entries to obscure initial infection methods [1][2].
While the specific vulnerabilities exploited in this campaign have not been explicitly identified, available intelligence suggests several key points about the vulnerabilities involved:
- **Credential Compromise:** UNC6148 uses credentials and one-time password (OTP) seeds stolen during prior intrusions to regain access, even on patched devices [1][2]. This implies that credential compromise—possibly via earlier, unpatched vulnerabilities—is a critical component of the attack chain. - **Possible Exploitation of Known Vulnerabilities:** While evidence is limited due to the malware’s anti-forensic capabilities, it is likely that UNC6148 exploited known vulnerabilities to gain initial access [1][2]. However, the exact vulnerabilities have not been specified. - **Potential Zero-Day Exploitation:** It is assessed with moderate confidence that the group may have used an unknown (zero-day) remote code execution (RCE) vulnerability to deploy Overstep on targeted appliances [1][2][3]. This suggests a vulnerability not yet publicly disclosed or patched by SonicWall. - **Historical Context:** The campaign’s tactics overlap with earlier exploitation of SonicWall SMA devices in 2023/2024, linked to the deployment of Abyss/VSOCIETY ransomware [1][4]. However, specific CVE numbers from those incidents are not enumerated in the latest reporting.
Google’s Threat Intelligence Group (GTIG) has been collaborating with SonicWall on the findings related to UNC6148. Researchers have not found any overlaps between this activity and the past campaigns of known threat groups [3].
SonicWall plans to expedite the end-of-support date for the SMA 100 appliances, and will provide detailed mitigation guidance to customers and partners in the coming weeks [5]. Organisations are advised to assume compromised credentials and consider physical disk imaging for forensic analysis due to the rootkit’s anti-forensic capabilities [3].
Given the lack of explicit CVE disclosures, the primary attack vectors remain credential theft and potential exploitation of both known and unknown vulnerabilities, with a strong emphasis on maintaining persistence even after patches are applied [1][2][3]. The malware used by UNC6148 shows technical expertise of the SMA 100 series software.
[1] Rapid7 [2] Google Threat Analysis Group (GTIG) [3] SonicWall [4] CISA [5] Bleeping Computer
- The malware used by UNC6148, called Overstep, is a threat to privacy and data-and-cloud-computing as it acts as a persistent user-mode rootkit, stealing credentials and concealing its presence.
- Despite patches being applied, the malware's ability to affect devices and its use of sophisticated anti-forensic techniques like selectively removing log entries make it a significant cybersecurity threat.
- Intelligence suggests that the attack chain involves credential compromise, possibly via earlier, unpatched vulnerabilities, and potential exploitation of known vulnerabilities or even a zero-day vulnerability.
- In response, SonicWall plans to expedite the end-of-support date for the SMA 100 appliances, and organizations are advised to assume compromised credentials and consider physical disk imaging for forensic analysis due to the rootkit's anti-forensic capabilities, demonstrating the importance of robust cybersecurity measures.
