Hackers Exploit Backdoor to Access Data from SonicWall Appliance

Google Threat Intelligence Group has identified that the cybercrime group known as UNC6148 exploited a backdoor in a patched SonicWall Secure Mobile Access (SMA) 100 series appliance to steal credentials. This operation appears to be part of a larger campaign, which began in January 2025, that may involve selling the exfiltrated data to ransomware vultures.

The campaign revolves around the utilization of a previously undiscovered rootkit dubbed OVERSTEP. Google assessed that UNC6148 exploited a known vulnerability to gather administrator credentials prior to updating the targeted appliance to the latest firmware version. This exploitation likely commenced as far back as January 2025.

Investigations into the campaign suggest that the initial operations may have begun in late October of the previous year. Google identified several vulnerabilities in SonicWall systems that may have been exploited by UNC6148, including CVE-2021-20038, a stack-based buffer overflow that was patched in 2021, as well as others that allowed for unauthenticated access and privilege escalation.

Given the nature of these vulnerabilities, it is suspected that the hackers acquired initial access through credential marketplaces or infostealer logs. Once inside the system, UNC6148 establishes a Secure Sockets Layer (SSL) virtual private network session to the targeted appliance and deploys a reverse shell for further reconnaissance and file manipulation.

The group is likely ensuring its persistence by altering a configuration file via the OVERSTEP backdoor, establishing a new network pathway that remains intact even after reboots. This malicious modification requires tampering with the boot functions of the affected firmware, making incoming detection more challenging. The method used by the hackers enables them to execute their payload within the boot sequence while simultaneously erasing any traces of their modifications.

Furthermore, the malware is adept at hijacking critical API functions connected to credentials and tokens, which raises significant risks for compromised systems. Notably, Google’s Threat Intelligence Group highlighted that the customization of OVERSTEP for the SMA’s unique architecture is an unusual level of sophistication that is not typically seen among most adversary groups.

Although little is known about UNC6148 itself, the stolen credentials raise concerns about potential data extortion or ransomware deployment in the near future. There is speculation that this malware might have been affiliated with prior attacks conducted by the Abyss ransomware group, which previously targeted SonicWall devices.

SonicWall has been scrutinized for multiple security incidents recently, with notable breaches becoming commonplace. In June, the company revealed that hackers utilized a malicious version of its NetExtender software to propagate malware. Given this backdrop of increased vulnerability, Google has urged SonicWall customers to assess their systems for possible compromise, isolate any affected appliances, and reset credentials and certificates to mitigate ongoing risks.

The circumstances surrounding this incident are a stark reminder of the persistent challenges in cybersecurity and the critical need for vigilance in defending against emerging threats. By integrating insights from the MITRE ATT&CK framework, it becomes evident that adversaries are increasingly leveraging complex tactics to achieve their objectives, making it essential for businesses to stay informed and prepared against these evolving cyber threats.