Title: UNC6148 Exploits Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

Date: July 16, 2025
Category: Vulnerability / Cyber Espionage

A threat actor group, identified as UNC6148, has been found targeting fully-patched SonicWall Secure Mobile Access (SMA) 100 series appliances, as part of an operation to deploy a backdoor known as OVERSTEP. This malicious activity has been traced back to at least October 2024. The Google Threat Intelligence Group (GTIG) reports that the number of known victims is currently “limited.” The tech giant has high confidence in its assessment that the group is utilizing credentials and one-time password (OTP) seeds stolen from previous breaches, enabling them to regain access even after organizations have implemented security updates. Metadata analysis indicates that UNC6148 may have first exfiltrated these credentials from the SMA appliance as early as January 2025. The precise method of initial access for delivering the malware remains unknown due to the evasive actions taken by the threat actor.

UNC6148 Targets Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

On July 16, 2025, cybersecurity analysts from the Google Threat Intelligence Group (GTIG) disclosed a troubling trend involving UNC6148, a hacking group targeting fully-patched SonicWall Secure Mobile Access (SMA) 100 Series appliances. The campaign, which began around October 2024, aims to implant a backdoor known as OVERSTEP into these end-of-life systems. This significant vulnerability raises red flags for organizations reliant on these devices for secure access.

The primary victims in this campaign are users of the SonicWall SMA 100 series—technologies that, despite being updated to the latest patches, have proven susceptible to exploitation. The extent of known victims currently appears limited, but the implications are severe, especially as the threat actors have proven adept at retaining access to systems, circumventing security measures put in place by organizations. The GTIG assessed with high confidence that UNC6148 is using stolen credentials and one-time password (OTP) seeds gleaned from prior intrusions to regain access, even after patches have been applied.

Data analysis suggests that UNC6148 may have first exfiltrated these credentials from the SMA appliances as early as January 2025. Notably, the precise method employed to execute this initial compromise remains unidentified, highlighting a significant gap in the understanding of the attack vector. The lack of clarity underscores an urgent need for vigilance among businesses utilizing these devices.

From a cybersecurity perspective, this incident illustrates the challenges posed by persistent threat actors who exploit vulnerabilities within seemingly secure systems. The MITRE ATT&CK framework reveals several tactics and techniques likely employed by UNC6148, including initial access, achieving persistence, and possibly privilege escalation. These tactics indicate a well-coordinated strategy to infiltrate, maintain, and expand their foothold on compromised networks.

Organizations that continue to utilize the SonicWall SMA 100 series should be particularly cautious. The risk extends beyond just the technical ramifications; it reflects broader issues of reliance on legacy systems in an evolving threat landscape. As threat actors enhance their capabilities to exploit even patched devices, the importance of continuous monitoring and proactive security measures cannot be overstated.

In conclusion, the ongoing activities of UNC6148 serve as a wake-up call for the cybersecurity community and businesses alike. As sophisticated methods emerge, remaining informed, adjusting strategies, and rigorously applying security updates will be paramount in defending against such targeted attacks. The implications of this breach will likely resonate for a considerable time, urging businesses to assess their vulnerabilities and reinforce their cybersecurity postures.

Source link

Related Posts

Hackers Exploit PDFs to Impersonate Microsoft, DocuSign, and Others in Callback Phishing Schemes

Cybersecurity experts have raised alarms about phishing campaigns that mimic well-known brands, deceiving victims into calling phone numbers managed by cybercriminals. According to Cisco Talos researcher Omid Mirzaei, “A notable percentage of email threats featuring PDF payloads persuade victims to dial adversary-controlled numbers, showcasing a prevalent social engineering tactic referred to as Telephone-Oriented Attack Delivery (TOAD) or callback phishing.” An analysis of phishing emails with PDF attachments from May 5 to June 5, 2025, found that Microsoft and DocuSign were the most frequently impersonated brands. Other notable targets in TOAD emails included NortonLifeLock, PayPal, and Geek Squad. This surge in activity forms part of broader phishing efforts that leverage the trust associated with popular brands to provoke harmful actions. Typically, these messages include PDF attachments…

Severe Cisco Vulnerability in Unified CM Allows Root Access via Hard-Coded Credentials

July 3, 2025
Vulnerability / Network Security

Cisco has issued patches to fix a critical security flaw in Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This vulnerability could enable an attacker to access susceptible devices with root privileges, achieving a CVSS score of 10.0 under the identifier CVE-2025-20309. In an advisory released on Wednesday, Cisco noted that “this vulnerability arises from the use of static user credentials for the root account, which are meant for development use only.” An attacker could exploit this flaw to log into an affected system and execute arbitrary commands as a root user. Hard-coded credentials often stem from testing or temporary fixes during development, but they should never be present in live environments.

Chinese Hackers Exploit Ivanti CSA Zero-Days to Target French Government and Telecoms

On July 3, 2025, France’s cybersecurity agency disclosed that multiple sectors—including government, telecommunications, media, finance, and transport—were affected by a cyber campaign led by a Chinese hacking group. This group exploited several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, identified in early September 2024, has been linked to an intrusion set known as Houken, which reportedly shares characteristics with the threat cluster tracked by Google Mandiant as UNC5174 (also referred to as Uteus or Uetus). According to the French National Agency for the Security of Information Systems (ANSSI), “Houken’s operators use both zero-day vulnerabilities and sophisticated rootkits, alongside a variety of open-source tools primarily developed by Chinese-speaking programmers.” The attack infrastructure utilized by Houken features a mix of components, including commercial VPNs and other tools.

Severe Sudo Vulnerabilities Allow Local Users to Escalate to Root Access on Major Linux Distributions

July 4, 2025
By Cybersecurity Insights

Cybersecurity researchers have identified two critical vulnerabilities in the Sudo command-line utility for Linux and Unix-like systems, enabling local attackers to elevate their privileges to root on affected machines. Here’s a summary of the vulnerabilities:

  • CVE-2025-32462 (CVSS Score: 2.8): In versions prior to 1.9.17p1, Sudo, when configured with a sudoers file specifying a host that is neither the current host nor ALL, permits listed users to execute commands on unintended machines.

  • CVE-2025-32463 (CVSS Score: 9.3): In Sudo versions before 1.9.17p1, local users can gain root access as a result of the /etc/nsswitch.conf file being utilized from a user-controlled directory in conjunction with the –chroot option.

Sudo is a command-line tool designed to allow low-privileged users to execute commands as another user, typically the superuser, thereby implementing the principle of least privilege for administrative tasks.