Unidentified cybercriminals have capitalized on an unpatched 0-day Remote Code Execution (RCE) vulnerability in SonicWall's Secure Mobile Access (SMA) devices to deploy the OVERSTEP ransomware.

Unidentified cybercriminals have capitalized on an unpatched 0-day Remote Code Execution (RCE) vulnerability in SonicWall's Secure Mobile Access (SMA) devices to deploy the OVERSTEP ransomware.

In a recently discovered covert campaign, the hacking group UNC6148 has been persistently compromising SonicWall SMA 100 series appliances using a highly sophisticated backdoor malware known as OVERSTEP. This malware is specifically designed to target these appliances and maintain long-term privileged access by modifying the device's boot process and hiding its presence from detection tools.

### How UNC6148 Deploys OVERSTEP and Maintains Persistence:

The operation begins with UNC6148 gaining initial access to the appliances, reportedly through the exploitation of known vulnerabilities or potentially unknown zero-day vulnerabilities. Once inside, the group performs device reconnaissance, manipulates files, and exports settings. They may modify device settings offline before reinstalling them to maintain uninterrupted persistence.

The malware, compiled as a 32-bit ELF shared object for Intel x86 and coded in C, is stealthily deployed by decoding and placing its rootkit components in key system directories. The malware achieves persistence primarily via the `/etc/ld.so.preload` file, ensuring that the malicious shared library is injected into every process on the device, allowing it to hijack standard system functions such as `open()`.

UNC6148 modifies the system boot script (`rc.fwboot`) to inject the rootkit into the initial RAM disk (INITRD). This involves decompressing and mounting INITRD, injecting the rootkit, timestomping (altering timestamps to hide changes), and then soft rebooting with `kexec`. These changes ensure the malware loads early during the system startup, surviving reboots and evading detection.

Post-deployment, the attackers clear system logs to cover tracks, complicating forensic investigations. OVERSTEP also hides its components and activity, significantly hindering incident responders' ability to track the intrusion.

### Vulnerabilities Exploited:

UNC6148 exploits a combination of publicly known vulnerabilities affecting SonicWall SMA 100 series appliances, including but not limited to CVE-2024-38475, CVE-2021-20038, and others, which are primarily related to remote code execution and privilege escalation. There is strong suspicion that UNC6148 used at least one zero-day vulnerability—a previously unknown remote code execution flaw—to deploy OVERSTEP on even fully patched appliances.

### Impact:

By leveraging these vulnerabilities and deploying OVERSTEP, UNC6148 achieves persistent, privileged control over SonicWall SMA 100 appliances, enabling them to steal credentials, exfiltrate sensitive data, and potentially stage ransomware or further extortion operations. The backdoor’s stealth capabilities also enable the attackers to remain undetected for extended periods.

Google's analysts advise defenders to image disks offline, rotate every password and OTP seed, and verify the absence of the trojanized library. They also recommend boosting detection, reducing alert fatigue, and accelerating response with an interactive sandbox. The existence of the trojanized library on SMA hardware is considered "tantamount to compromise".

In summary, UNC6148’s persistent compromise of SonicWall SMA 100 series devices hinges on exploiting a mixture of known and zero-day vulnerabilities to steal credentials and surreptitiously install the OVERSTEP backdoor. This backdoor modifies the boot process and uses sophisticated stealth techniques to maintain long-term privileged access and conceal its presence.

1. To mitigate the threat posed by UNC6148's OVERSTEP malware, cybersecurity professionals must stay vigilant and implement threat intelligence strategies that prioritize data-and-cloud-computing security, particularly for SonicWall SMA 100 series appliances.
2. In light of the recent UNC6148 attack, it's crucial for data-and-cloud-computing industries to enhance their technology infrastructure, focusing on detection tools capable of uncovering sophisticated malware like OVERSTEP, and developing robust incident response strategies.

Read also: