Hackers are compromising SonicWall Secure Mobile Access appliances, which manage access by mobile devices at enterprise network edges. The targeted devices are end of life, lacking updates, making them prime targets for UNC6148. Organizations are advised to analyze their appliances for compromise and may require forensic analysis through SonicWall. Attackers exploit leaked local administrator credentials, and the precise nature of their actions post-compromise remains unclear. A custom backdoor malware, Overstep, complicates investigations, and UNC6148 might be using zero-day exploits targeting vulnerable software.
The targeted devices are end of life, meaning they no longer receive regular updates for stability and security. Despite the status, many organizations continue to rely on them.
GTIG recommends that all organizations with SMA appliances perform analysis to determine if they have been compromised, acquiring disk images for forensic analysis.
The lack of details is largely the result of the functioning on Overstep, the name of custom backdoor malware UNC6148 is installing after initial compromise of the devices.
UNC6148 may be exploiting vulnerabilities including CVE-2021-20038, which allows unauthenticated remote code execution through a memory corruption vulnerability.
Collection
[
|
...
]