A financially motivated threat actor has been exploiting SonicWall Secure Mobile Access 100 series appliances using a custom backdoor named OVERSTEP, according to Google’s Threat Intelligence Group. The campaign has been active since at least October 2024, targeting devices that are fully patched but end-of-life.
Once inside the system, the hacker can access admin login credentials, steal sensitive company data, or extort organizational leaders.
“Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances,” from Google Cloud’s post written by Josh Goddard, Zander Work, and Dimiter Andonov.
Understanding the exploit
The attack starts with the threat actor obtaining valid administrative credentials for the targeted SonicWall SMA 100 appliance. While the method of credential acquisition remains unknown, GTIG suspects that they were obtained before the latest firmware update (10.2.1.15.81sv).
GTIG believes the hacker exploited one or more known vulnerabilities in the appliance, such as memory corruption, unauthenticated path traversal, remote code execution, or authenticated file deletion. However, GTIG has not ruled out the possibility of an undisclosed vulnerability being used.
After obtaining access, the hacker connects to the targeted appliance with a Secure Sockets Layer virtual private network (SSL VPN) session, establishing a reverse shell — even though the device does not typically permit shell access.
This foothold allows the threat actor to run a series of commands to deploy the OVERSTEP backdoor, ensuring long-term persistence by configuring the system to reload OVERSTEP automatically upon reboot.
Detecting the backdoor and mitigating threats
GTIG shared a list of indicators of compromise (IOCs) to help administrators identify whether their SonicWall SMA 100 appliances have been infiltrated. These include signs found within the device’s file system, such as:
- Presence of unknown or unexpected binaries, especially within the ‘/cf’ or ‘/usr/lib’ directories.
- Detection of a specific file, ‘/etc/ld.so.preload,’ which is not found on standard SMA appliances.
- Unauthorized or malicious modifications run control (RC) scripts, especially ‘/etc/rc.d/rc.fwboot.’
- Issues with inaccurate or irregular timestamps, especially when seen in the INITRD image.
Other IOCs are only discovered by examining the appliance’s network logs. These include:
- Incoming web requests with the commands ‘dobackshell’ or ‘dopasswords’ in the query.
- Outgoing HTTP traffic to unfamiliar, external IP addresses.
- VPN sessions from unfamiliar, external IP addresses.
- Settings being imported or exported outside of scheduled maintenance.
- Logs being cleared manually outside of scheduled maintenance.
- Suspicious activity, including other threats, located within ‘FLASH.DAT’ files or elsewhere within the appliance.
- Unexpected lateral movement between the appliance and other systems within the network.
If any of these threats are detected, GTIG recommends resetting all user passwords and OPT bindings revoking any certificates containing private keys that are stored within the SMA device. Legitimate certifications can always be reissued once the threat has been fully mitigated.
In more Google-related cybersecurity news, Chrome users are advised to update immediately to avoid sandbox escape attacks.