Google’s Threat Intelligence Group (GTIG) has identified a sophisticated and ongoing cyberattack campaign, attributed to the financially motivated group UNC6148, targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Operating since at least October 2024, UNC6148 is exploiting previously stolen credentials and potentially an unknown zero-day remote code execution vulnerability. This allows them to maintain persistent access to compromised systems, even those that have been fully patched. The campaign signifies a worrying escalation in attacks against network infrastructure, as the threat actors can successfully compromise appliances despite organizations applying the latest security updates. GTIG assesses with high confidence that UNC6148 is reusing credentials and one-time password (OTP) seeds from prior intrusions, creating a lasting threat that extends beyond typical patching cycles.
The central component of this campaign is the deployment of a new rootkit named OVERSTEP.
This malware represents a significant evolution in attacks targeting network appliances, functioning as both a backdoor and a user-mode rootkit specifically designed for SonicWall SMA devices. OVERSTEP achieves persistence by modifying the appliance’s boot process, injecting itself into the INITRD image, and leveraging the /etc/ld.so.preload mechanism. This sophisticated technique enables the rootkit to intercept system calls from all processes running on the compromised device, establishing an invisible presence that can steal credentials, create reverse shells, and effectively hide its own components from system administrators.
Its primary function revolves around hijacking standard library functions, including open, readdir, and write operations.
When activated, OVERSTEP can receive commands through specific web requests, triggering actions like establishing reverse shells or stealing credentials. The malware specifically targets critical databases such as temp.db and persist.db, which contain sensitive user credentials, session tokens, and OTP seed values. Access to these allows the attackers to maintain continued access even if passwords are reset. Furthermore, OVERSTEP incorporates advanced anti-forensic capabilities, selectively removing log entries from httpd.log, http_request.log, and inotify.log files, severely impeding incident response efforts and making detection much more difficult for security teams.
The discovery of UNC6148’s operations highlights several critical security implications for organizations utilizing SonicWall SMA appliances. While evidence points to the exploitation of known vulnerabilities like CVE-2024-38475, which facilitates unauthenticated database exfiltration via path traversal, the suspected use of an unknown zero-day vulnerability for deploying OVERSTEP suggests that traditional vulnerability management approaches alone may be insufficient against this advanced threat actor. Organizations face an immediate risk of re-compromise, as previously stolen credentials can grant persistent access regardless of firmware updates or applied patches.
GTIG strongly advises all organizations with SMA appliances to conduct comprehensive forensic analysis using disk images, as OVERSTEP’s rootkit capabilities can conceal evidence of compromise from standard live system examination methods. Critical mitigation steps include immediately rotating all credentials, including passwords and OTP bindings, for all users. It’s also crucial to revoke and reissue certificates with private keys stored on the appliances and implement enhanced monitoring for suspicious VPN sessions originating from external IP addresses. The extended timeline of the campaign, with some intrusions occurring months before ransomware deployment, underscores the importance of proactive threat hunting and recognizing the potential for dormant compromises within affected environments.
Reference:
