Miscreants are exploiting patched SonicWall VPNs to deploy a backdoor dubbed OVERSTEP for data theft. This campaign, attributed to UNC6148, allows attackers persistent access by modifying the appliance's boot process. They are abusing previously stolen credentials to maintain access, even after patches are applied. Investigations revealed that the attackers used local administrator credentials to establish SSL-VPN sessions. Essential visibility into the initial infection vector is compromised due to malware that removes log entries. The attackers probably exploited known vulnerabilities and may have used a zero-day vulnerability.
Unknown miscreants are exploiting fully patched, end-of-life SonicWall VPNs to deploy a previously unknown backdoor and rootkit, likely for data theft and extortion.
The researchers assess 'with high confidence' that the criminals are abusing previously stolen credentials and one-time password seeds, allowing them to maintain access to the compromised SonicWall Secure Mobile Access appliances.
Mandiant's first observations of UNC6148 showed that they already had local administrator credentials to the targeted SMA 100 series appliance, with no forensic evidence showing how those credentials were obtained.
The malware selectively removes log entries, resulting in limited visibility into the attackers' initial infection vector while exploiting known vulnerabilities or potentially a zero-day.
Collection
[
|
...
]