A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP. The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as UNC6148. The tech giant assessed with high confidence that the threat actor is "leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates." "Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025." The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the threat actors to remove log entries. But it's believed that access may have been gained through the exploitation of known security flaws such as CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, or CVE-2025-32819. Alternately, the tech giant's threat intelligence team theorized that the administrator credentials could've been obtained through information-stealing logs or acquired from credential marketplaces. However, it said it didn't find any evidence to back up this hypothesis. Upon gaining access, the threat actors have been found to establish an SSL-VPN session and spawn a…Read More