A threat activity cluster targeting SonicWall Secure Mobile Access 100 series appliances has been identified, attributed to the group UNC6148 as part of a campaign deploying the OVERSTEP backdoor. This campaign began around October 2024, utilizing stolen credentials and OTP seeds from earlier breaches to maintain access despite security updates. Initial access methods remain unclear, potentially involving exploitation of known vulnerabilities or stolen admin credentials. The group has established SSL-VPN sessions and reverse shells to execute reconnaissance and manipulate files, indicating sophisticated tactics to compromise the appliances.
UNC6148 has established an SSL-VPN session and spawned a reverse shell, suggesting exploitation of vulnerabilities or potential zero-day flaws in the SonicWall SMA appliances.
The threat actor is leveraging stolen credentials and OTP seeds, maintaining access even after security updates have been applied, indicating a persistent and sophisticated approach.
Collection
[
|
...
]