SonicWall SMA Devices Still Infected with Stealthy OVERSTEP Malware
▼ Summary
– Google’s Threat Intelligence Group warns of unknown intruders targeting end-of-life SonicWall SMA 100 series appliances with a novel backdoor called OVERSTEP.
– The threat group UNC6148, likely financially motivated, used compromised admin credentials and possibly a zero-day vulnerability to deploy the malware.
– OVERSTEP hijacks API functions, establishes reverse shells, exfiltrates passwords, and hides its presence using rootkit capabilities.
– SonicWall is accelerating the end-of-support date for SMA 100 series to December 2025 and urging customers to migrate to newer solutions.
– Organizations are advised to isolate compromised appliances, reset credentials, and preserve forensic evidence if signs of intrusion are detected.
Cybersecurity experts have uncovered a sophisticated malware campaign targeting outdated SonicWall Secure Mobile Access (SMA) 100 series devices, deploying a stealthy backdoor known as OVERSTEP. The attack, attributed to a financially motivated threat group called UNC6148, exploits compromised admin credentials and potentially undisclosed vulnerabilities to maintain persistent access.
Google’s Threat Intelligence Group (GTIG) revealed that attackers first stole credentials in January 2025 before using them months later to establish unauthorized VPN sessions. What makes this breach particularly alarming is the deployment of OVERSTEP, a rootkit-style backdoor capable of hijacking system functions, stealing sensitive data, and evading detection by manipulating logs.
The malware operates by intercepting API calls, creating reverse shells, and exfiltrating critical files, including passwords, OTP seeds, and certificates. Despite no observed lateral movement yet, the stolen credentials could allow attackers to expand their reach within compromised networks. Investigators remain uncertain how the threat actors bypassed security measures to establish reverse shells, suggesting the possible exploitation of an unpatched zero-day flaw.
SonicWall has acknowledged the threat, accelerating the end-of-support date for SMA 100 series devices from 2027 to December 2025. The company urges customers to migrate to newer solutions like the SMA 1000 series or Cloud Secure Edge, while continuing to provide firmware updates for existing deployments.
Security teams are advised to scrutinize disk images and logs for signs of compromise, including unusual file modifications or unexpected network traffic. If an infection is confirmed, immediate isolation, forensic preservation, and credential revocation are critical steps to mitigate damage.
Google’s researchers emphasize the importance of proactive defense, recommending organizations replace aging SMA 100 appliances with modern, supported alternatives. The incident underscores the risks of maintaining end-of-life hardware in high-security environments, where outdated systems become prime targets for advanced threats.
For ongoing updates on emerging cyber threats, subscribe to real-time breach alerts to stay ahead of evolving risks.
(Source: HelpNet Security)
