Full Report
Google Threat Intelligence Group said a financially motivated threat group is abusing the outdated remote access VPN devices, underscoring a continued pattern of threats confronting SonicWall customers. The post SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices appeared first on CyberScoop.
Analysis Summary
# Incident Report: UNC6148 Exploitation of End-of-Life SonicWall SMA 100 Appliances
## Executive Summary
A financially motivated threat group, identified as UNC6148, is actively exploiting unpatched or previously compromised SonicWall Secure Mobile Access (SMA) 100 series appliances, which are end-of-life products. The attackers are leveraging stolen administrator credentials and potentially known or unknown vulnerabilities to gain initial access, leading to post-compromise activities including the deployment of the OVERSTEP backdoor, with the ultimate goal of data extortion or ransomware deployment.
## Incident Details
- Discovery Date: Wednesday (Date of Google Threat Intelligence Group report)
- Incident Date: Ongoing, with activity overlapping late 2023 and early 2024.
- Affected Organization: Multiple organizations using SonicWall SMA 100 series appliances (Specific numbers undisclosed).
- Sector: Not explicitly stated; likely any sector utilizing remote access VPNs.
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Preceding discovery; some compromises likely began late 2023/early 2024.
- Vector: Stolen administrative credentials used to establish an SSL VPN session on the SMA 100 series appliance. Potential exploitation of vulnerabilities (e.g., CVE-2021-20038, CVE-2024-38475, etc.) for initial credential theft prior to patching.
- Details: Attackers leveraged pre-existing access methods or exploited vulnerabilities to steal admin credentials, enabling legitimate-looking VPN access. Logs related to the initial infection vector are often intentionally removed by the malware.
### Lateral Movement
- **Post-Compromise:** Once on the appliance, the group deployed a reverse shell via unknown means.
- **Activity:** Used the shell to perform reconnaissance, manipulate files, and export/import settings on the SMA 100 appliance.
### Data Exfiltration/Impact
- **Goal:** Data theft for extortion or possible ransomware deployment (e.g., Abyss-branded ransomware mentioned in relation to the group).
- **Confirmed Action:** Deployment of the **OVERSTEP** backdoor on the compromised SMA appliance to maintain persistence and facilitate further operations.
- **Confirmed Victim Proxy:** One victim appeared on the World Leaks data leak site in June.
### Detection & Response
- **Detection:** Google Threat Intelligence Group analysis and Mandiant investigation into an attack in June.
- **Challenges:** Insufficient forensic data due to log manipulation made confirming the initial infection vector difficult.
- **Response Actions:** SonicWall is actively guiding customers to migrate to modern solutions (Cloud Secure Edge, SMA 1000 series) and providing firmware updates for remaining SMA 100 deployments to mitigate risk.
## Attack Methodology
- **Initial Access:** Stolen administrator credentials establishing a VPN session; potential prior exploitation of EOL vulnerabilities in the SMA 100 series.
- **Persistence:** Deployment of the **OVERSTEP** backdoor on the SMA appliance.
- **Privilege Escalation:** Not explicitly detailed, but initial access was gained using **administrator credentials**.
- **Defense Evasion:** Selective removal of log entries to hide initial access activities.
- **Credential Access:** Attackers likely obtained credentials via exploiting prior vulnerabilities or external means before utilizing them against the appliance.
- **Discovery:** Reconnaissance performed via a reverse shell post-initial access.
- **Lateral Movement:** Not detailed beyond initial access to the appliance; the focus is on persistence within the VPN gateway.
- **Collection:** Manipulation of local files and settings on the SMA appliance.
- **Exfiltration:** Intended goal is data theft for extortion.
- **Impact:** Deployment of backdoors, potential for ransomware execution.
## Impact Assessment
- **Financial:** Potential costs associated with data extortion/ransomware, incident response, and mandatory migration from EOL hardware.
- **Data Breach:** High potential for sensitive data exfiltration, but specifics are not detailed in the report.
- **Operational:** Business interruption possible if ransomware is deployed or if the VPN appliance services are compromised/disabled.
- **Reputational:** Ongoing negative association for SonicWall customers with vulnerable, unsupported hardware.
## Indicators of Compromise
*Note: IOCs are restricted based on the source, focusing on behavioral signatures.*
- **Network indicators:** SSL VPN sessions established using pre-existing admin credentials on SonicWall SMA 100 appliances.
- **File indicators:** Deployment of the **OVERSTEP** backdoor.
- **Behavioral indicators:** Evidence of UNC6148 activity including unauthorized configuration imports/exports on SMA devices; potential use of Abyss-branded ransomware.
## Response Actions
- **Containment:** SonicWall is emphasizing expedited migration paths for customers away from the SMA 100 series. Organizations must assume compromise if running unpatched EOL firmware.
- **Eradication:** Requires forensic investigation to ensure the OVERSTEP backdoor and any associated malware/shells are completely removed. Full environment rebuild might be required if lateral movement occurred.
- **Recovery:** Transitioning to modern, supported remote access solutions (e.g., SonicWall Cloud Secure Edge, SMA 1000 series).
## Lessons Learned
- Relying on end-of-life network hardware, even with existing firmware, poses significant, persistent security risks as threat actors specifically target known weak points.
- Threat actors are capable of compromising systems and maintaining persistence (via backdoors like OVERSTEP) even on devices that may have subsequently received known security updates, if the initial entry leveraged stolen credentials.
- Log integrity management is critical, as adversaries actively seek to erase evidence of initial intrusion vectors.
## Recommendations
- Immediately decommission or apply mandatory security patches (if available) to all SonicWall SMA 100 series appliances.
- Prioritize migration to modern, actively supported remote access solutions.
- Implement robust credential hygiene and Multi-Factor Authentication (MFA) on all administrative access points, including VPN gateways, to mitigate credential stuffing/theft risks.
- Enhance network monitoring focused on post-VPN-session behavior for unusual commands or file manipulation on gateway appliances.