Security flaw found in SonicWall Secure Mobile Access system
In a recent development, Google Threat Intelligence Group (GTIG) has published new research on a previously unknown backdoor named 'OVERSTEP', which has been deployed by the threat actor group UNC6148.
The exploit targets SonicWall Secure Mobile Access (SMA) 100 series appliances, posing a significant threat to organisations using these devices. A concerning aspect of this attack is that the SonicWall appliances being targeted are fully patched and end-of-life, suggesting that UNC6148 is leveraging a combination of known and unknown vulnerabilities to gain access, establish persistence, and achieve remote code execution.
The backdoor, OVERSTEP, is a persistent user-mode rootkit that modifies the appliance's boot process. Once inside, it allows for the theft of user credentials, session tokens, and one-time password (OTP) seeds, giving the attackers unrestricted access to the network.
The initial access vector for the exploit is currently unknown, adding to the advanced nature of UNC6148's activities. It is worth noting that the Russian hacking group UNC6148 is likely linked to or operated by the Russian company Positive Technologies.
GTIG assesses with moderate confidence that UNC6148 is opportunistically exploiting fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. The threat posed by OVERSTEP underscores the need for organisations to remain vigilant and proactive in their cybersecurity measures, even when using fully patched and end-of-life devices.
Organisations are advised to closely monitor their SonicWall appliances for any unusual activity and to consider implementing additional security measures to protect their networks from potential attacks.
The publication of this research by GTIG serves as a crucial step in understanding and combating the OVERSTEP backdoor and the activities of UNC6148. As the cyber threat landscape continues to evolve, it is essential for organisations to stay informed and prepared to respond to such threats effectively.
