Outbreak Alert
A new custom backdoor malware aimed at SonicWall appliances
A campaign targeting SonicWall SMA 100 series appliances is currently under active exploitation, leveraging both known vulnerabilities and potential zero-days to gain persistent access to enterprise networks. The threat actors deploy a custom Linux-based rootkit for stealth and long-term persistence. Learn More »
Common Vulnerabilities and Exposures
Background
This ongoing campaign was identified by the Google Threat Intelligence Group (GTIG) and has been attributed, with moderate confidence, to a suspected financially motivated threat actor tracked as UNC6148.
Attackers used a mix of known vulnerabilities and likely an unknown (zero-day) flaw to break into these devices. Once inside, they stole admin credentials and one-time password (OTP) data, allowing them to reconnect through VPNs and stay hidden in the network over time even after security updates are installed. This campaign focused on exploiting edge devices as an entry point into company systems.
A key component of the campaign was the deployment of OVERSTEP, a custom Linux-based rootkit designed for stealth and persistence. Installed on the targeted appliances, OVERSTEP allowed attackers to maintain control, exfiltrate sensitive credentials and certificates, manipulate logs to erase evidence, and initiate outbound communication for command-and-control.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Organizations using affected SMA100 appliances should check for potential compromise, rotate credentials, and conduct deep forensic analysis.
-
May 07, 2025: SonicWall advisory publishedfor CVE-2025-32819, an authenticated file deletion, a vulnerability in SMA100.
https://psirt.global.sonicwall.com/vuln-detail/snwlid-2025-0011 -
March 12, 2024: SonicWall advisory published for CVE-2024-38475, an unauthenticated path traversal vulnerability in Apache HTTP Server, which affected the SMA 100 series.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 -
February 14, 2023: FortiGuard Threat Signal on Ransomware Activities related to DPRK exploiting CVE-2021-20038 (SonicWall SMA100 buffer overflow vulnerability)
https://www.fortiguard.com/threat-signal-report/5017 -
July 07, 2021: SonicWall advisory published for CVE-2021-20038, an unauthenticated remote code execution.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
Vulnerability
-
IPS
-
Web App Security
-
IOC
-
Outbreak Detection
-
Automated Response
-
Assisted Response Services
-
NOC/SOC Training
-
End-User Training
-
Vulnerability Management
-
Attack Surface Hardening
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
References
Sources of information in support and relation to this Outbreak and vendor.