Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

SUMMARY :

A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, which modifies the appliance's boot process, steals credentials, and conceals itself. UNC6148 may be using an unknown zero-day vulnerability for deployment. The campaign, ongoing since October 2024, aims at data theft, extortion, and possibly ransomware deployment. OVERSTEP's functionality includes establishing reverse shells, exfiltrating passwords, and implementing usermode rootkit capabilities. Organizations are advised to rotate all credentials and follow provided recommendations to mitigate the threat.

OPENCTI LABELS :

backdoor,vpn,data exfiltration,credential theft,rootkit,sonicwall,overstep,cve-2021-20038,cve-2024-38475,cve-2021-20039,cve-2021-20035,cve-2025-32819,sma


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor