Backdoor discovered to SonicWall Secure Mobile Access

Backdoor discovered to SonicWall Secure Mobile Access

Google Threat Intelligence Group (GTIG) has published new research that uncovers a previously unknown backdoor that threat actors are deploying on fully patched SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG has identified UNC6148, a sophisticated threat actor, opportunistically exploiting fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

The actor is deploying a newly discovered, persistent backdoor and user-mode rootkit named ‘OVERSTEP.’ This backdoor covertly modifies the appliance’s boot process to maintain persistence and enables the theft of user credentials, session tokens, and one-time password (OTP) seeds.

While the initial access vector remains unknown, GTIG assesses with moderate confidence that UNC6148 is likely leveraging known and unknown vulnerabilities to steal credentials, establish persistent access, and achieve remote code execution to deploy OVERSTEP, underscoring the advanced nature of this threat.

The number of known victims at this time is limited, and GTIG has been proactively notifying impacted organizations. Organizations with these devices are urged to analyse the devices for potential compromise and evidence of lateral movement.

Key findings:

  • Data Theft and Extortion Link: UNC6148’s operations have been active since at least October 2024, and are suspected to enable data theft, extortion, and potentially ransomware deployment.

    • Please note however that GTIG doesn’t have enough data yet to confidently assess whether UNC6148 is a financially motivated actor.
  • Conceal its own components: The backdoor is designed to hide itself and selectively remove log entries, making detection and forensic investigation incredibly difficult
    • During an investigation, Mandiant observed UNC6148 exporting and re-importing SMA appliance settings, including new network access control rules for their own IP addresses. This suggests UNC6148 modified the settings offline prior to re-importing it to ensure continuous access to their infrastructure.
    • UNC6148 also took steps to cover their traces and eliminate forensic evidence
  • Recommendations: All organisations with SMA 100 series appliances should perform analysis to determine if they have been compromised by following the steps outlined in the “Hunting and Detection” section of GTIG’s research.




Source link