Hackers exploiting fully updated SonicWall VPNs to install covert entry point and system root
In a recent cybersecurity incident, the UNC6148 threat actor group has been discovered targeting SonicWall Secure Mobile Access (SMA) appliances, specifically those that are fully patched but no longer supported. The group is deploying a previously unknown backdoor and rootkit named OVERSTEP, which is believed to be used for data theft, extortion, and potentially ransomware activities.
The exploitation process typically involves the following steps:
1. **Gaining Initial Access:** UNC6148 likely compromises admin credentials or exploits an as-yet-unknown, zero-day remote code execution (RCE) vulnerability in the SMA devices to gain initial access. The exact method for establishing a reverse shell remains unclear, but it is theorized that an unpatched or unknown vulnerability is involved.
2. **Reconnaissance and Persistence:** Once inside, UNC6148 conducts reconnaissance, sets new network access control policy rules to permit their own IP addresses, and installs the OVERSTEP malware. To ensure persistence, they modify a legitimate run command file so that OVERSTEP is loaded each time the device reboots, maintaining persistent admin-level access.
3. **Credential Theft and Log Manipulation:** OVERSTEP is a user-mode rootkit capable of stealing passwords, security certificates, one-time password (OTP) seeds, and session tokens. The malware selectively deletes log entries (e.g., from `httpd.log`, `http_request.log`, and `inotify.log`) to conceal its activities and the attacker’s presence, making forensic detection difficult.
4. **Data Exfiltration and Ransomware Ties:** After exfiltrating data, UNC6148 has been observed leaking victim information on the World Leaks (formerly Hunters International) data extortion site, suggesting possible involvement in ransomware or extortion schemes. Some similarities have been noted with previous campaigns distributing Abyss ransomware, though direct monetization evidence remains limited.
The attacks hinge on two primary vectors: compromised admin credentials and an unknown zero-day RCE vulnerability. SonicWall has responded by accelerating the end-of-life date for SMA 100 devices and urging customers to migrate to supported platforms as soon as possible. Organizations still running these devices are advised to monitor for indicators of compromise, assume credential compromise, review logs for anomalies, and transition to supported hardware and software.
Google's technical analysis provides specific indicators of compromise and artifacts to help identify and remove OVERSTEP. As the UNC6148 campaign demonstrates advanced, targeted exploitation of VPN appliances, it underscores the risks of running end-of-life network infrastructure, even when fully patched.
- In light of the advanced cybersecurity incident targeting SonicWall Secure Mobile Access (SMA) appliances, it is crucial for organizations to implement cloud-based cybersecurity solutions that offer real-time threat detection and response capabilities to mitigate such risks.
- To prevent potential data theft and ransomware activities associated with the OVERSTEP malware, it is imperative for mobile users to enable two-factor authentication and regularly update their device's mobile operating system and security patches.
- The UNC6148 threat actor group's use of a previously unknown backdoor and rootkit highlights the need for vigilant security measures within the technology landscape, emphasizing the importance of continuous monitoring, timely patch management, and robust mobile device security practices.
