A sophisticated cyber espionage campaign has been identified, targeting fully-patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. This operation, active since at least October 2024, involves the deployment of a backdoor known as OVERSTEP. The Google Threat Intelligence Group (GTIG) attributes this activity to a threat actor designated as UNC6148.
Exploitation of Stolen Credentials
UNC6148 has been leveraging credentials and one-time password (OTP) seeds exfiltrated during prior breaches. This strategy enables the group to regain access to devices even after organizations have applied security updates. Network traffic metadata indicates that these credentials may have been extracted from SMA appliances as early as January 2025.
Uncertain Initial Access Methods
The exact method UNC6148 used to gain initial access remains unclear, primarily due to the attackers’ efforts to erase log entries. However, it’s suspected that they exploited known vulnerabilities, including:
– CVE-2021-20035
– CVE-2021-20038
– CVE-2021-20039
– CVE-2024-38475
– CVE-2025-32819
Alternatively, the attackers might have obtained administrator credentials through information-stealing malware or purchased them from credential marketplaces. However, GTIG has not found concrete evidence to support this theory.
Establishing Persistent Access
Upon gaining access, UNC6148 established SSL-VPN sessions and initiated reverse shells. Notably, shell access is typically restricted on these appliances, suggesting the possible exploitation of a zero-day vulnerability. The reverse shell facilitated reconnaissance and file manipulation, including exporting and importing settings to the SMA appliance. This indicates that UNC6148 may have modified exported settings offline to introduce new rules, ensuring their activities remained undetected by access gateways.
Deployment of the OVERSTEP Backdoor
The culmination of these attacks is the deployment of OVERSTEP, a previously undocumented implant. OVERSTEP is designed to:
– Modify the Boot Process: Ensuring persistent access by altering the appliance’s startup sequence.
– Credential Theft: Extracting sensitive information from the device.
– Concealment: Employing a user-mode rootkit to hide its components and evade detection.
The rootkit achieves concealment by hijacking standard library functions such as `open` and `readdir`, effectively hiding artifacts associated with the attack. Additionally, it hooks into the `write` API function to receive commands from an attacker-controlled server embedded within web requests. These commands include:
– dobackshell: Initiates a reverse shell to a specified IP address and port.
– dopasswords: Creates a TAR archive of specific files (`/tmp/temp.db`, `/etc/EasyAccess/var/conf/persist.db`, and `/etc/EasyAccess/var/cert`) and saves it in a location accessible via a web browser.
Achieving Persistence
To maintain persistence, UNC6148 modified the legitimate RC file `/etc/rc.d/rc.fwboot`. This alteration ensures that upon each reboot, the OVERSTEP binary is loaded into the running file system of the appliance. After deploying the backdoor, the attackers clear system logs and reboot the firewall to activate the backdoor, further attempting to erase traces of their command executions.
Implications and Recommendations
This campaign underscores the evolving tactics of threat actors who exploit both technical vulnerabilities and stolen credentials to infiltrate and persist within target networks. Organizations utilizing SonicWall SMA 100 series appliances, especially those that are end-of-life, should:
– Review Access Logs: Regularly monitor for unauthorized access attempts.
– Update Credentials: Change administrator passwords and OTP seeds, particularly if there’s suspicion of compromise.
– Apply Security Patches: Ensure all devices are updated with the latest security patches.
– Monitor Network Traffic: Implement continuous monitoring to detect anomalies indicative of unauthorized access or data exfiltration.
By adopting these measures, organizations can enhance their defenses against sophisticated threats like those posed by UNC6148 and the OVERSTEP backdoor.
