Attacks involving the OVERSTEP backdoor have been deployed by the UNC6148 threat operation against patched but no longer supported SonicWall Secure Mobile Access 100 appliances.

As part of a campaign that commenced in October, UNC6148 has exploited previously exposed SonicWall SMA 100 admin credentials and a yet-to-be-known remote code execution zero-day, The Hacker News reports.

This creates an SSL-VPN session and reverse shell for reconnaissance efforts before the eventual deployment of OVERSTEP, which facilitates credential theft and persistence while concealing illicit activity by removing log entries and rebooting the firewall, according to an analysis from the Google Threat Intelligence Group (GTIG).

OVERSTEP could also be leveraged for ransomware delivery, as evidenced by the inclusion of a UNC6148-targeted organisation on the World Leaks extortion gang's data leak site.

Additional findings also revealed similarities between UNC6148 activity and previous SonicWall SMA targeting that was later associated with Abyss ransomware distribution. Such a development has prompted SonicWall to expedite the end-of-life date of SMA 100 devices from an original schedule of October 2027 to the end of 2025.

Responsible Disclosure

In a statement sent to SC UK, SonicWall said it is aware of the recent report by GTIG identifying an active campaign targeting SMA 100 series appliances. "We’ve been working closely with GTIG throughout this process and appreciate their responsible disclosure and continued partnership in protecting customers and the broader security community.

"As reported by GTIG, the campaign relies upon multiple CVE that spanned multiple years. If proper patching has been maintained, the exploits required to compromise the SMA 100 series appliance have been mitigated and there are no known zero day or new vulnerabilities being leveraged to gain access to the appliance. This is a pattern of increased attacks against legacy VPN appliances across the industry and SonicWall highly suggests migrating to our ZTNA solution."

Saying it has been actively guiding customers toward more modern, secure solutions such as our Cloud Secure Edge service and the SMA 1000 series - which are built on advanced technology stacks and offer stronger security, greater scalability, and an improved user experience - "this mirrors broader industry trends, where leading vendors like Cisco and Palo Alto Networks have moved customers from legacy hardware to cloud-native architectures."

The company says it understands that not all customers have transitioned yet, and it remains committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. "These updates may become more frequent as we prioritise risk mitigation and the ongoing protection of our user base," it said. 

"Detailed migration guidance to SonicWall’s Zero Trust solutions will be shared with customers and partners in the coming weeks. Our priority remains clear: ensuring the security and success of our customers during this transition and beyond."

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.