Fully patched SonicWall SMA 100 devices targeted in ongoing rootkit attack

Google Threat Intelligence Group (GTIG) is reporting a campaign crime gang UNC6148, targeting fully patched but end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. 

The campaign, started at least in October 2024, and uses previously stolen administrator credentials and one-time password (OTP) seeds to maintain access after organizations have applied security updates to their SMA 100. GTIG assesses that UNC6148 may have exploited an unknown zero-day remote code execution vulnerability to deploy a sophisticated rootkit called OVERSTEP on targeted appliances.

The initial compromise vector remains unclear due to OVERSTEP's anti-forensic capabilities that selectively remove log entries. GTIG identified several known vulnerabilities that UNC6148 could have exploited to steal administrator credentials before being updated:

• CVE-2021-20038 (CVSS score 9.8) - Unauthenticated remote code execution vulnerability involving memory corruption that can lead to code execution
• CVE-2024-38475 (CVSS score 9.1) - Unauthenticated path traversal vulnerability in Apache HTTP Server affecting SMA 100 series, allowing exfiltration of SQLite databases containing credentials, session tokens, and OTP seed values
• CVE-2021-20039 (CVSS score 8.8) - Authenticated remote code execution vulnerability through command injection in the /cgi-bin/viewcert request handler
• CVE-2025-32819 (CVSS score 8.8) - Authenticated file deletion vulnerability that can reset administrator credentials to default passwords
• CVE-2021-20035 (CVSS score 6.5) - Authenticated remote code execution vulnerability involving command injection in the /cgi-bin/sitecustomization handler

UNC6148 establishes SSL VPN sessions on targeted SMA 100 series appliances using stolen local administrator credentials, then deploys a reverse shell through unknown means. Shell access should not be possible by design on these appliances, and even SonicWall's Product Security Incident Response Team could not determine how this was achieved, suggesting exploitation of an unknown vulnerability.

Once inside the system, the attackers deploy OVERSTEP, a backdoor written in C, designed for SonicWall SMA 100 series appliances.

OVERSTEP is designed to steal highly sensitive information from compromised SMA appliances:

• User account credentials and passwords
• Session tokens for ongoing authentication bypass
• One-time password (OTP) seed values for multi-factor authentication
• SSL certificates and private keys stored on the appliance
• SQLite databases (temp.db and persist.db) containing authentication data
• Network configuration and access control policies

SonicWall has accelerated the end-of-support date for the SMA 100 series from October 1, 2027, to December 31, 2025. The company is actively guiding customers toward more modern solutions such as the Cloud Secure Edge service and SMA 1000 series appliances.

All users with SMA appliances should immediately rotate all credentials including passwords and OTP bindings for all users, revoke and reissue certificates with private keys stored on appliances, and move these devices to low trust network zones so they are isolated from the rest of the network network isolation for affected devices.

GTIG strongly recommends that all organizations with SMA appliances start immediate analysis of potential compromise.  Indicators of compromise to look for are unexpected binaries in the /cf directory, presence of /etc/ld.so.preload files, and suspicious network traffic patterns.

Organizations should create disk images for forensic analysis to avoid interference from OVERSTEP's anti-forensic capabilities and may need to engage with SonicWall to capture images from physical appliances.