Google finds custom backdoor being installed on SonicWall network devices

The Google Threat Intelligence Group has revealed alarming findings regarding SonicWall Secure Mobile Access (SMA) appliances, which are crucial for managing and securing mobile device access at the perimeter of enterprise networks. These devices, now considered end-of-life, are no longer receiving updates aimed at enhancing stability and security, leaving them vulnerable to cyber attacks. Despite this, many organizations still rely on these systems, making them attractive targets for a hacking group identified as UNC6148. In a report released on Wednesday, GTIG explicitly advises organizations using SMA appliances to conduct thorough analyses to assess whether their systems have been compromised. They recommend obtaining disk images for forensic purposes, cautioning that the rootkit anti-forensic capabilities may interfere with the investigation process. To capture these disk images effectively, organizations might need to collaborate directly with SonicWall. Details surrounding the attacks remain sparse. It has been established that the hackers are leveraging leaked local administrator credentials to carry out their operations; however, the source of these credentials is still a mystery. Furthermore, the specific vulnerabilities being exploited by UNC6148 have yet to be identified. The report indicates that attackers install custom backdoor malware called Overstep, which enables them to selectively erase log entries, complicating forensic efforts. Additionally, there is speculation that the group may possess a zero-day exploit, targeting vulnerabilities that are not yet publicly known. The cybersecurity community is on high alert as investigations continue into the methods and impacts of these breaches.