A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the victim were later published on the World Leaks (Hunters International rebrand) data-leak site, GTIG researchers believe that UNC6148 engages in data theft and extortion attacks, and may also deploy Abyss ransomware (tracked as VSOCIETY by GTIG).
Hackers come prepared
The hackers are targeting end-of-life (EoL) SonicWall SMA 100 Series devices that provide secure remote access to enterprise resources on the local network, in the cloud, or hybrid datacenters.
It is unclear how the hackers obtained initial access, but researchers investigating UNC6148 attacks noticed that the threat actor already had local administrator credentials on the targeted appliance.
“GTIG assesses with high confidence that UNC6148 exploited a known vulnerability to steal administrator credentials prior to the targeted SMA appliance being updated to the latest firmware version (10.2.1.15-81sv)” - Google Threat Intelligence Group
Looking at the network traffic metadata, the investigators found evidence suggesting that UNC6148 had stolen the credentials for the targeted appliance in January.
... continue reading