A novel malware named OVERSTEP has been used by a threat actor to modify SonicWall Secure Mobile Access appliances, enabling persistent backdoor access and credential theft. Researchers link the activities to the group UNC6148, which engages in data theft, extortion, and potentially deploying Abyss ransomware. #OVERSTEP #UNC6148
Keypoints
- The malware OVERSTEP exploits a zero-day vulnerability to breach SonicWall SMA 100 devices.
- Threat actor UNC6148 has been active since October and steals administrator credentials to infiltrate systems.
- Overstep deploys a user-mode rootkit, allowing the attacker to hide and maintain long-term access.
- The attack includes log-clearing and remote code execution, with potential exploitation of multiple known vulnerabilities.
- Organizations are advised to check for signs of compromise and acquire disk images to prevent rootkit interference.