A threat actor known as UNC6148 has been exploiting SonicWall SMA 100 appliances, deploying a new backdoor called Overstep to maintain persistent access. The campaign involves sophisticated techniques, possibly using zero-day vulnerabilities, to steal data and deploy ransomware. #UNC6148 #Overstep #SonicWall #ZeroDayVulnerability #SMA100
Keypoints
- The threat actor targets fully patched SonicWall SMA 100 appliances since October 2024.
- ISC6148 uses stolen credentials and one-time-password seeds to access devices.
- A new backdoor named Overstep manipulates the boot process for persistent access and data theft.
- Researchers suspect the attack involves a zero-day remote-code-execution vulnerability.
- SonicWall plans to accelerate end-of-support for SMA 100 appliances and will provide mitigation guidance.